New PoS Malware Ex-filtrates Credit Card Details via DNS Server

Researchers have identified a new strain of point-of-sale (PoS) malware that impersonates a LogMeIn service pack to steal credit card data via a DNS server.

According to security firm Forcepoint, the malware – dubbed “UDPoS” – is unusual in that it generates a large amount of UDP-based DNS traffic to exfiltrate magnetic strip payment card details.

“Nearly all companies have firewalls and other protections in place to monitor and filter TCP- and UDP-based communications; however, DNS is still often treated differently, providing a golden opportunity to leak data,” explained Forcepoint in a detailed blog post.

Security researchers noted that, as of this writing, detection rates for the malware are still very low for the monitor component, citing that “visibility is always an issue with non-traditional malware.”

“Samples which do not target standard endpoints or servers can quite easily be missed because of the lack of focus on protecting these sorts of systems,” the researchers added.

Luke Somerville, head of special investigations at Forcepoint, told Dark Reading that the company has found no evidence showing UDPoS is currently being leveraged by cybercriminals.

Nonetheless, when analyzing the threat, one of the command and control servers communicating with the malware was active and responsive, which may suggest that the authors were at least prepared to deploy it in the wild, said Forcepoint.

LogMeIn issued an alert this week, warning users of the phishing scam:

This link, file or executable is not provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You will never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update.

As always, users are advised to follow standard best practices to safeguard their accounts against phishing and social engineering, such as using two-factor authentication, setting strong passwords and remaining vigilant of suspicious activity.


via:  tripwire

Save pagePDF pageEmail pagePrint page

Leave a Reply

Your email address will not be published. Required fields are marked *