BlackPOS explained

BlackPOS, also known as Kaptoxa, is a point-of-sale malware program designed to be installed in a point of sale (POS) system to scrape data from debit and credit cards. BlackPOS was used in the Target Corporation data breach of 2013.[1] [2]

History

The BlackPOS program first surfaced in early 2013[3] and affected many Australian, American, and Canadian companies using point-of-sale systems, such as Target and Neiman Marcus. The program was originally created by 23 year-old Rinat Shabayev and later developed by 17-year-old Sergey Taraspov, better known by his online name, 'ree4'.[4] The original version of BlackPOS was sold on online black market forums by Taraspov, under the name "Dump Memory Grabber by Ree", for around $2000.[5] The name BlackPOS was found in the software's administration panel.[3]

Operation

BlackPOS infects computers running on Microsoft Windows that have credit card readers connected to them and are part of a POS system.[6] After installation, the program attaches to the pos.exe process and scans its memory for track 1 and track 2 payment card data.[7] The data is then exfiltrated via SMB to a server within the company, where another component collects it and sends it to the attacker via FTP.[7]

BlackPOS only sends stolen information during business hours, to avoid raising suspicion by generating network traffic at unusual times.[8]

Incidents

BlackPOS has been used to steal customer information from businesses worldwide. The most well-known attack was the 2013 Target security breach.

Target

During Thanksgiving break of November 2013, Target's POS system was infected with the BlackPOS malware. It was not until mid-December that the company became aware of the breach. The hackers were able to get into Target's systems by compromising a company web server and uploading the BlackPOS software to Target's POS systems. As a result of this attack, more than 40 million customer credit and debit card information, and more than 70 million addresses, phone numbers, names, and other personal information, was stolen. About 1800 U.S. Target stores were affected by the malware attack.[9]

Neiman Marcus

Neiman Marcus, another well-known retailer, was affected as well. Their POS system was said to have been infected in early July 2013 and was not fully contained until January 2014. The breach is believed to have involved 1.1 million credit and debit cards over the span of several months. Although credit and debit card information was compromised, Neiman Marcus issued a statement saying that Social Security Numbers and birthdates were not affected.[10] [11]

Other companies

Other affected companies included UPS and Home Depot.[12] [13]

See also

Notes and References

  1. https://web.archive.org/web/20160813092736/http://efta.org/wp-content/uploads/2015/archive/efta_issue_768.pdf "BlackPOS involved in Target’s POS machines"
  2. http://www.screentalker.org/2014/01/malware-behind-target-credit-card.html "Malware Behind Target Credit Card Thefts Identified"
  3. Web site: Researchers find new point-of-sale malware called BlackPOS . PCWorld . 8 January 2023 . en.
  4. Web site: 23-Year-old Russian Hacker confessed to be original author of BlackPOS Malware. Kumar. Mohit. The Hacker News. 2016-11-05.
  5. Web site: A First Look at the Target Intrusion, Malware — Krebs on Security. krebsonsecurity.com. 2016-11-05.
  6. Web site: A Survey of Point-of-Sale (POS) Malware. Sun. Bowen. www.cse.wustl.edu. 2016-11-05.
  7. https://web.archive.org/web/20141222093136/https://www.cyphort.com/wp-content/uploads/2014/11/POS-Malware-Report-WEB.pdf "POS Malware Revisted"
  8. Web site: An evolution of BlackPOS malware. 2014-01-31. Hewlett Packard Enterprise Community. 2016-11-05. https://web.archive.org/web/20160926042758/https://community.hpe.com/t5/Security-Research/An-evolution-of-BlackPOS-malware/ba-p/6359149#.V-ij08TP3qA. 2016-09-26. dead.
  9. News: Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It. Matlack. Michael Riley MichaelRileyDC Benjamin Elgin Dune Lawrence DuneLawrence Carol. 2014-03-17. Bloomberg.com. 2016-11-05.
  10. News: Neiman Marcus data breach said to have started in July and not been fully contained until Sunday Business Dallas News. 2014-01-16. Dallas News. 2016-11-05.
  11. News: Neiman Marcus Data Breach Worse Than First Said. Perlroth. Elizabeth A. Harris, Nicole. 2014-01-23. Popper. Nathaniel. The New York Times. 0362-4331. 2016-11-05.
  12. Web site: Backoff and BlackPOS Malware Breach Retailers Point of Sale Systems. www.wolfssl.com. 11 September 2014 . 2016-11-05.
  13. News: Exclusive: More well-known U.S. retailers victims of cyber attacks - sources. 2017-01-12. Reuters. 2016-11-05.