Warning: using ticket-machines to surf Facebook and play videogames can lead to malware exploits
Fri 28 Nov 2014

A new strain of Point of Sale (POS) malware has been identified by LA-based cyber threat intelligence firm IntelCrawler. Identified by the less-than-catchy moniker “d4re|dev1|” (‘Daredevil’), the software targets electronic kiosks and ticket-vending devices, creating a backdoor that permits elaborate remote control of victim machines.
Though no direct correlation is stated between the malware infections found in ticket-machines, the fairly-technical report finds it worth mentioning that some operators have shown scant regard for the security of their financially sensitive devices:
“During ongoing POS investigations it was determined that some operators of Point-of-Sale terminals have violated their own internal security policies and have used their terminal for gaming and WEB-surfing, checking e-mail from it, sending messages, and viewing social networks. These cases have a common denominator of weak passwords and logins, many of which were found in large 3rd party credential exposures.”
d4re|dev1| uses RAM scraping, a technique which intercepts the data entered into the terminal via swiping in the brief time that the sensitive information is resident in the system’s RAM. The technique was used in the Target data breach in December of 2013, an incursion which gained access to the financial credentials of over 10mn of the company’s customers.
IntelCrawler assert that d4re|dev1| is capable of accessing data from POS systems including OSIPOS, Harmony WinPOS, Gemini POS and QuickBooks Point of Sale Multi-Store, and that systems used by mass-transit authorities have also been compromised by the malware. The company’s post provides several screenshots detailing the interception techniques:
“These kiosks,” explains the security company. “and ticket machines don’t usually house large daily lots of money like ATMs, but many have insecure methods of remote administration allowing for infectious payloads and the exfiltration of payment data in an ongoing and undetected scheme,”
The malware is apparently delivered via a very traditional hacking scenario of brute-forcing logins for remote-administrators. Once authorised, the attacker is free to amend underlying code and upload malicious files into the system.
Like most malware, d4re|dev1| can update itself on an ad hoc basis via remote payloads, with processes named hkcmd.exe and PGTerm.exe, and through Google Chrome, facilitating the installation of additional backdoors. In this way the incursion can obviate security policies and automated infrastructure detection systems.
According to IntelCrawler the cyber-criminals’ scope extends beyond exploits of individual machines. “They are looking for enterprise wide network environments,” the company reports. “having tens of connected devices accepting payments and returning larger sets of spoils to their C2 [command-and-control] servers.”