A new point-of-sale software malware strain wants its victims to think it is a nondescript bit of code that computers and networks commonly use when surfing the Internet.
Uncovered by investigators at Austin, Texas-based Forcepoint, a data-security services provider, the malware, dubbed “UDPos” by Forcepoint, attempts to conceal itself in the data a computer sends when it looks for an Internet address, using domain name server technology.
“It’s a piece of malware designed to steal credit card details,” Luke Somerville, Forcepoint head of special investigations, tells Digital Transactions News. More specifically, it looks for magnetic-stripe data. “Once it’s set up on a system, it looks in the computer’s memory and any other program that is running for track 1 and track 2 data.” This data contains information such as the cardholder’s name, the primary account number, expiration date, and verification characters.
So far, the malware appears to masquerade as an update for the popular LogMeIn online-conference software, but does not originate with that software. LogMeIn, which was contacted by Forcepoint about the deceitful malware, says its software is always updated within its product. “You will never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update,” says a LogMeIn blog post.
POS software operating on Windows computers is most at risk, Somerville says. He does not believe that handheld POS devices are likely targets of the malware. The risk is greater for markets heavily reliant on Windows-based POS software. A possible exception is POS software where the POS terminal bypasses the software and communicates directly, and securely, with the payment processor, in what is often called a semi-integrated approach. Chip-and-PIN transactions, which are used in Europe, that involve POS software only report the success of the transaction to the software, Somerville says.
Every computer querying the Internet first looks for the domain name server of the site. That is the specific numerical Internet protocol address of a site. Domain name server technology is fundamental to the Internet and can’t be outright blocked, Somerville says. “The malware uses fake DNS requests sent to one of its command-and-control servers,” he says. In this way, it extracts the stolen data.
Organizations typically look at email and Web traffic to and from Web sites as places for criminals to operate in, not DNS requests, Somerville says. “A lot of people aren’t looking very closely at outgoing DNS requests. It gives the traffic a clever way to blend into the background noise,” he says.
While UDPos’s tactic of hiding stolen data inside DNS requests is not new, what does seem remarkable about this bit of malware is how well its developers built it. “The authors behind this have quite good operational security,” Somerville says. It betrays nothing that might identify its origin or where it comes from or the organizations it intends to target, he says.
No Forcepoint clients have fallen victim to this malware, Somerville says. As for how many other merchants might be affected is uncertain. Little is known about the malware because it hides its tracks well, he notes. “It seems as if the authors of this family of malware did their research, looked at what was successful in other POS malware families, and put it all together in a successful campaign.”
Somerville suspects the malware might have been used since 2016 in two known campaigns, but, “there may have been many more of them,” he says.