Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:56 PM
Connect Directly

'Freakshow' Provides Inside Look At Real Malware Behind Big Breaches

Forensic specialists who investigated hacks of a hotel chain, casino, and restaurant share details on the sophisticated malware used to successfully steal confidential data

In the Las Vegas casino club's breach, the attackers planted an elusive keylogger that stole credit and debit card numbers. Even if the casino's IT staff had been running tools to look for suspicious programs, they wouldn't have found it, Ilyas says. "It was hidden from the system...we went in and found its processes running," he says. "The keylogger was just targeting the processed credit card transactions."

The casino had been hit by previous malware infections and thought they were clean after cleaning them up. But not so: "In this case, their systems got infected with a couple of other things, and they had written them off as benign," Ilyas says. "This happens quite often as viruses are always floating around in corporate networks...The casino administrator saw something [more] was going on."

In the restaurant breach in Michigan, the establishment's server was bot-infected and then used to help plant a malicious packet sniffer between the point-of-sale system and server. The restaurant didn't encrypt its internal point-of-sale application traffic, so it became an easy mark for the bad guys to steal its card data. They sent configuration files via Internet Relay Chat (IRC) for the malware.

The attack was more random than targeted -- the bad guys had discovered an open port at the site while scanning the geographic area. "This sniffer attack is unique because of the IRC capability -- usually people use commercial sniffers, but this one was custom-designed," Percoco says. And the sniffer required a Microsoft .NET framework, so the attackers downloaded .NET to the victim's machine.

"They had to upgrade the system to make it work."

Percoco and Ilyas, meanwhile, also plan to reveal a new, bleeding-edge generation of malware they call "credential malware," which is a rare but powerful tool for attacking kiosks, such as DVD rental machines. They wouldn't provide any details of the victim that was hit by the attack, but they used an example of a fictional video poker machine to illustrate it.

The attack initially requires physical contact with the kiosk: someone posing as a repairman, for instance, could install the malware, which is aimed at stealing data from these types of closed-network devices. "The chances of getting data out via the Internet from these machines are very slim. The only way to get the data you're looking for is to go face-to-face with that device, and they have limited interfaces and no keyboards," Percoco says.

So malware writers have created special code that can use the limited controls available in a kiosk machine. "The malware has a password file embedded in this, and when it sees a particular string of data, it activates," he explains.

The researchers will demonstrate how specially crafted paper vouchers, such as those you get when you cash out of a slot machine, act as the interface to the poker machine in order to steal credit and debit-card data. "We've seen in some cases criminals getting jobs to repair machines or work in a restaurant to get the malware onto the [kiosk] system," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-02
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
PUBLISHED: 2020-04-01
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
PUBLISHED: 2020-04-01
The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup� and “wizard� endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...
PUBLISHED: 2020-04-01
In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privileges Escalation to SYSTEM from arbitrary file deletion and DLL hijack vulnerabilities. The issue was fixed by adjusting the .tsExport folder when the controller is running on Windows and adjusting the SafeDllSearchMode in the win...
PUBLISHED: 2020-04-01
LearnDash Wordpress plugin version below 3.1.6 is vulnerable to Unauthenticated SQL Injection.