DareDevil PoS Malware, Infects Ticket Machines and Electronic KiosksVeiled ThreatAttacksSecurity found wanting

Veiled Threat

The malware has been disguised as a legitimate process, making it difficult to track. It can disguise itself as a Google Chrome or as PGTerm.exe, which appears to belong to Pay&Go client product, a payment software solution. It can also be disguised as “hkcmd.exe,” a process that regularly facilitates hot key interception on systems equipped with Intel graphics. The malware hasn’t been kept limited to POS systems. It is also attacking mass transit systems as well as ATM machines. Although the guarantee of gain is much lesser in ATMs and transit systems, fact remains that the security here is much more lax than on POS ones. The attackers might have believed that they can stay on for longer in these systems.

Attacks

It also is unique in the sense that it contains a feature to upload files, thus allowing itself to upgrade itself if need be. Another use, experts believe, is to allow itself to add more features to itself in the future. Alternatively, the option can be used to add new backdoors and tools on the compromised machine, in order to move laterally across the network. This could suggest that the cybercriminals are interested in stealing information from as many machines as possible, focusing on large networks connecting a high number of payment terminals for increased profit. PoS malware is specifically designed to look for card data directly in the memory of the compromised system, where it is found in an unencrypted state for a short period of time, as long as the payment information verification takes.

Security found wanting

Considering that many people and e-commerce businesses depend heavily on POS for their business, it is generally expected that these systems would have the best possible security mechanisms in place. Research in hindsight of the discovery of daredevil has busted this myth. One of the infected ticket vending machine was identified in August in Sardinia, Italy, and attackers obtained the access exploiting credentials for a VNC (Virtual Network Computing). “These kiosks and ticket machines don’t usually house large daily lots of money like ATMs, but many have insecure methods of remote administration allowing for infectious payloads and the exfiltration of payment data in an ongoing and undetected scheme,” states IntelCrawler.