CyberWisdom Safe Harbor Commentary on UDPoS
Forcepoint is calling UDPoS malware differently than the usual POS tools because it uses UDP-based DNS traffic to steal credit and debit card data through firewalls and other security controls. According to the company, this is one of the few new POS malware tools.
In recent years, the United States, like many other countries, has moved away from magnetic cards based on the Europay, Mastercard, and Visa (EMV) standards for chips and PIN cards. This transition made it more difficult for criminals to use POS malware to steal payment card data, just as they did when massive theft was stolen from Target in 2013.
However, malware like UDPoS shows that criminals still have the opportunity to steal data from POS systems. For example, Trend Micro reported last year that MajikPOS, a POS malware family, was used to steal data from more than 23,300 payment cards. The retailer Forever 21, which is investigating data breaches, recently released some malware for the POS system in November last year.
Forcepoint special investigator Luke Somerville said there is no evidence that UDPoS is currently being used to steal credit or debit card data. However, Forcepoint’s testing shows that malware does indeed complete successfully.
In addition, one of the command and control servers that communicate with malware is active while Forcepoint investigates the threat. “[This] means that the author is at least ready to deploy such malware in the field,” Somerville said.
Possible targets for malware include POS systems for hotels and restaurants and any other location with a handheld device for swiping credit and debit cards.
Somerville said: “This malware targets Windows systems, which are typically variants of the Windows XP kernel, and large retailers have not recently updated their systems and may have hundreds or even thousands of vulnerabilities The machine. ”
Forcepoint discovered the malware while investigating an obvious LogMeIn service pack, which generated a large number of unusual DNS requests. The company’s analysis of the malware showed that it contacted a command and control server that also had LogMeIn’s themed identity.
Somerville said there is no evidence that LogMeIn’s remote access service or product was in any way abused as part of the malware deployment process. In contrast, the authors of UDPoS seem to use the LogMeIn brand as a disguise. He said: “The use of the names of legitimate products as the subject of documents and service names is, in fact, an attempt to limit the suspicion of the presence of these artifacts on infected computers.
Forcepoint itself does not understand the process that malware authors use or plan to deliver UDPoS on point-of-sale systems. But using the LogMeIn brand to disguise malware is not by accident. Many retailers and other organizations use LogMeIn’s software to enable remote management of their POS systems.
Given the filenames already selected, it is clear that malware authors want to sneak their malware into these systems in the name of LogMeIn software updates, Somerville said.
LogMeIn issued a warning this week warning its users not to fall into scams. “According to our investigation, the purpose of the malware is to trick a savvy user into performing a malicious e-mail, link or file that may contain the name of LogMeIn,” the company states.
UDPoS is disguised to appear like a LogMeIn service pack, Forcepoint says…. Engaging post, Read More…
thumbnail courtesy of darkreading.com
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »