Point-of-sale (POS) malware is a type of malicious software designed to infect POS terminals for the purpose of stealing payment data stored on magnetic stripes (magstripes) on the back of bank cards. In recent years, this type of malware has become less popular due to the protection mechanisms embedded in modern credit card processing systems in most countries. But it’s still alive. And it still represents a severe threat for individuals and businesses in regions where credit cards with magstripe are used as the main payment processing mechanism. One such country is the USA, which remains a desirable target for threat actors who seek to steal magstripe dumps.
On April 19, 2022, the Group-IB Threat Intelligence
identified a Command and Control (C2) server of the POS malware called MajikPOS
. The analysis of C&C revealed that it was poorly configured and the way it had been developed provided an ability to extract stolen credentials for further analysis. Group-IB Threat Intelligence experts analyzed the server and established that it also hosts a C2 administrative panel of another POS malware called Treasure Hunter
, which is also used to collect compromised credit card data. After analyzing the malicious infrastructure, Group-IB researchers retrieved information about the infected devices and the credit cards compromised as a result of this campaign. Since at least February 2021, the operators have stolen more than 167,000
payment records (as of September 8, 2022), mainly from the US. According to Group-IB’s estimates, the operators could make as much as $3,340,000
if they simply decide to sell the compromised card dumps on underground forums.
At the time of writing this blog, the panel remains active. As soon as we discovered it, the information was shared with a US-based financial threat-sharing organization and law enforcement agencies within the unit.
to collect card text data (bank card numbers, expiration dates, names of owners, addresses, CVVs) from eCommerce websites. Few cyber criminals are involved in collecting dumps (data stored on magnetic stripes on bank cards). The C2 server that hosted the panels for the two POS malware strains discovered by Group-IB stands out on account of the considerable collection of compromised payment records.
In this blog post, the Group-IB Threat Intelligence
team delved deep into the analysis of malware infrastructure and the information compromised as a result of the activity of the MajikPOS
and Treasure Hunter
samples discovered on the C2. In line with our mission to fight against cybercrime, we are publishing this report that could be particularly useful for anti-fraud analysts, threat intelligence researchers, and system administrators for POS devices, who can immediately leverage the information and mitigate the threat.