Three new POS sniffers: GMO JS Sniffer,DMSniff, & GlitchPOS

News by Bradley Barth

Newly discovered point-of-sale (POS) malware programs skims or scrape payment card information from e-commerce websites or in-store checkout terminals; GMO JS Sniffer, DMSniff and GlitchPOS

Researchers in the last 48 hours have released a trio of reports, each of which details a newly discovered point-of-sale (POS) malware program that skims or scrapes payment card information from e-commerce websites or in-store checkout terminals.

At least two of these three new threats, GMO JS Sniffer and DMSniff, have already been observed actively attacking enterprises, while the third, GlitchPOS, has been spotted for sale on multiple dark web forums.

GMO

Discovered just this month by researchers at Group-IB, GMO is classified as a JavaScript-based sniffing tool — separate from, yet similar to the Magecart skimming tool that was responsible for several major data breach incidents last year affecting Ticketmaster and British Airways. However, this particular JS Sniffer tool specifically targets online stores running on the Magento open-source content management system and e-commerce platform.

A single line of malicious GMO code was found injected into the online stores of seven companies, six of which are based in the US Victims include the international sports goods company FILA UK, designer housewares merchant Jung Lee NY, pest management company Forshaw, cosmetics seller Absolute New York, online supermarket Cajun Grocer, training equipment retailer Getfxd and the video editing store Safe Harbor Computers.

Citing data from Alexa.com, Group-IB says the six US-based stores receive about 350,000 monthly unique visitors. Meanwhile, FILA UK attracts roughly 140,000 unique eyes per month — meaning potentially thousands of its customers could have had their payment data intercepted and exfiltrated since the retailer was first compromised back in November 2018.

Based on the registration data of one of the malware’s command-and-control domains, Group-IB believes GMO has actually been active since May of last year.

"Cyber-criminals might have injected a malicious code by either exploiting a vulnerability of Magento CMS… or simply by compromising the credentials of the website administrator using special spyware or cracking passwords with brute-force methods," explains Dmitry Volkov, CTO and head of threat intelligence at Group-IB in a company blog post today, adding that GMO was named so "because the malware uses gmo[.]li host."

Volkov further notes that GMO can detect debugging tools like Firebug and Google Developer Tools, which helps it remain under the radar.

"JS Sniffers is a type of malware that remains poorly researched. Despite its simplicity, it is capable of causing massive financial and reputational damage to huge international corporations and therefore should not be underestimated," says Volkov. "And not only small online stores get affected, but also payment systems and banks whose clients’ suffer from payment data leaks.

Group-IB says it notified the six US companies of the attack and made multiple attempts to contact FILA UK.

DMSniff

Another POS malware, DMSniff, was recently caught stealing payment data from various unnamed small- and medium-sized businesses, after managing to remain undetected for about four years.

Discovered by researchers from Flashpoint, DMSniff is a rare example of a POS malware program that uses a domain generation algorithm to dynamically create lists of new C2 domains as a means of surviving takedowns and sinkholing attempts by authorities.

This particular malware affects in-store purchases, as opposed to those completed online. When customers swipe their cards through an infected terminal, the malware scrapes Track 1 and 2 magnetic stripe data before it’s encrypted and sent to the payment processor.

Each time the malware finds an interesting process, "it will loop through the memory sections to attempt to find a credit card number. Once a number is found, the bot will take the card data and some of the surrounding memory, packages it, and sends it to the C2," explain Flashpoint principal threat researchers Jason Reaves and Joshua Platt in a March 13 company blog post.

The attackers may have compromised retailers’ connected terminals via brute-force attacks launched against SSH connections, or possibly by scanning for and exploiting system vulnerabilities, Forcepoint suggests. (The malware can also theoretically be implanted by physically tampering with the terminals.)

Flashpoint has so far found 11 variants of DMSniff’s domain generation algorithm, all structured the same way, with first two letters and multiply values hardcoded into the algorithm. "The bot loops through the domain generation while rotating through a list of top-level domains… until it finds a server it can talk to," the researchers explain. "The data that was harvested by the bot to create a hostid is then sent off inside the user-agent. "

In addition to its DGA techniques, the malware also protects itself through string encoding, notes Flashpoint, which recommends that organisations keep their appliances updated.

GlitchPOS

In a third blog post, researchers Warren Mercer and Paul Rascagneres from Cisco Systems’ Talos division describe GlitchPOS, a POS malware that was recently discovered for sale on a crimeware forum.

The first mention of GlitchPOS dates back to a 2 February forum post by Edbitss, who appears to be the same individual who is alleged to have previously developed DiamondFox L!NK, a versatile, modular botnet that debuted around 2015. In fact, Talos spotted several common traits between GlitchPOS and DiamondFox, including the use of VisualBasic as a programming language, shared terminology and similar panel dashboard displays. This suggests the developer reused old DiamondFox code in some plans, Talos notes.

Edbitss offers to sell the malware for US$ 250 (£190), its builder for US$ 600 (£450) and its gate address change for US$ 80 (£60). (Talos subsequently found the malware for sale at a higher price on additional websites.) "The sale opened a few weeks ago, so we don’t know yet how many people bought it or use it," the blog post states.

The main payload is a small one with only a few core functions, including the ability to connect to the C2 server to receive instructions via encoded, shellcode-based commands, and the ability to steal Track 1 and 2 payment card data from the memory of infected systems. The malware is also protected by a packer — designed as a fake game with a user interface featuring pictures of cats — that ultimately decodes a library containing the real payload.

The developer even created a video demonstrating GlitchPOS’s ease of use to potential buyers. "This is a case where the average user could purchase all the tools necessary to set up their own credit card-skimming botnet," Talos warns.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews