Account Takeover Fraud , Cybercrime , Endpoint Security
POS Malware Using DNS to Steal Payment Card DataResearchers: Revamped Alina Trojan Targeting Windows-Based Devices
Fraudsters are using a revamped version of the Alina Trojan to target Windows-based point-of-sale devices to steal payment card data, according to Century Link's Black Lotus Labs.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The malware operators are using unsecured DNS protocols for communication between the infected POS devices and their command-and-control server to exfiltrate the data, according to the report.
Many users of Windows-based POS machines restrict or lockdown ports and communication protocols, such as the HTTP protocol, to restrict access to these devices and the data that they contain. But the DNS protocol is sometimes overlooked or poorly secured, according to the report.
"DNS is often left available, and too commonly goes unmonitored," Black Lotus Labs notes. "This makes DNS an attractive choice for outbound communication in POS malware, including the exfiltrating of stolen credit card information. Malware authors encode the stolen information and issue a DNS query to the actor-controlled domain name."
A researcher with Black Lotus Labs tells Information Security Media Group that those targeted by the malware included a fast food restaurant, a financial services company, an ice cream shop, a gas station and a brewery.
Targeting POS Devices
The team at Black Lotus Labs first uncovered the malware infecting these Windows-based POS devices in April after noticing unusual queries made to a subdomain called domain akamai-technologies[.]com. These queries were payment card data being transferred from POS devices to the fraudsters’ command-and-control server. Further research found three other domains with similar DNS queries, the report adds.
"Research determined that the Alina POS malware was utilizing DNS - the function that converts a website name into an IP address - as the outbound communication channel through which the stolen data was exfiltrated," according to the report.
During a payment transaction, a POS device decrypts the data and temporarily saves the credit card data in unencrypted form. In an infected device, the malware searches the RAM for the unencrypted data and sends the information back to the fraudsters, according to the report.
The malware also uses an algorithm to verify that it's stealing legitimate payment card data taken from the device's RAM.
To exfiltrate the data, the fraudsters send a DNS query to a domain that they control, and the encoded data is then placed into this subdomain for the attackers to extract, the report states. The data can include payment card numbers, expiration dates and a seven-digit number that researchers have not yet decoded. Stolen payment data is usually sold in underground criminal markets, the report adds.
Researchers at Black Lotus Labs observed the volume of DNS queries increasing in January and continuing through May, according to the report.
The Alina Trojan, which was first discovered in 2012, has been used by fraud and cybercrime gangs to target U.S. retailers. Since it first appeared, the developers behind the malware have updated their tactics, techniques and procedures to keep their malicious code from being detected, according to the report.
The researchers note that while earlier versions of the malware used either HTTPS or a combination of HTTPS and DNS to exfiltrate data, fraudsters have now switched over to DNS exclusively as a way to avoid detection and steal data, the researchers say.
Other POS malware has resided on POS machines for long periods of time without detection. For example, in December 2019, convenience store chain Wawa found that malware that had been planted on POS devices at nearly all of its 850 location throughout had gone undetected for close to eight months (see: Wawa Stores: POS Malware Attack Undetected for 8 Months).