Crooks used point-of-sale (PoS) malware to steal 167k payment records worth over $3M, with the vast majority of the payment details coming from credit cards issued in the US.
Threat actors gathered the payment records from 212 infected PoS devices, mainly in the United States, say researchers at the cybersecurity firm Group-IB.
PoS malware infects PoS devices such as credit card readers retailers use. The ultimate goal is to steal data stored on the card’s magnetic stripes (magstripes). While the use of magstripes is dwindling worldwide, the payment method is widely used in the US.
According to Group-IB’s blog post, researchers discovered a poorly protected Command and Control (C2) server used for PoS malware dubbed MajikPOS. Further analysis determined that the same server was also used as a C2 admin panel for another strain of malware, Treasure Hunter.
“Both these malware panels contain information about stolen dumps and infected PoS devices. During the investigation, Group-IB specialists analyzed around 77,400 unique card dumps from the MajikPOS panel and about 90,000 from the Treasure Hunter panel,” reads the blog post.
97% of all payment details collected using MajikPOS malware, and 96% of details gathered via Treasure Hunter malware come from the US.
Researchers extracted the data, and discovered individuals behind the servers had stolen a whopping 167k payment records since February 2021. 160k credit cards in the whole batch come from cards issued in the US. Researchers estimate that threat actors could sell the compromised cards for $3.3M on underground forums.
The research shows that most compromised PoS devices are located in Texas (17), Missouri (14), Illinois (14), and Florida (13). There are one or more compromised PoS devices in over 20 more states.
“Given that the malware remains active at the time of writing this blog, the number of victims keeps growing. The Group-IB Team shared its findings with a US-based financial threat-sharing organization and LE within the unit, “researchers claim.
More from Cybernews:
Subscribe to our newsletter