Sometimes the little things can help cybercriminals separate their wares from the pack. It could be an uncommon feature in the malware itself, or it could just be a new way to market a familiar strategy.
In unrelated reports Wednesday, cybersecurity companies detailed DMSniff, which takes a new approach to remaining stealthy as it steals point-of-sale (POS) information from consumers, as well as GlitchPOS, which steals credit-card information in a familiar way but comes with an instructional video from its creators.
Threat intelligence company Flashpoint reports that DMSniff has quietly been in active use since 2016 thanks in part to a domain generation algorithm, which allows hackers to continue siphoning data from a web page even after police or researchers have taken hackers’ domain pages offline.
Flashpoint notes that the use of such an algorithm is “rarely seen” in the smash-and-grab world of POS malware, where thieves typically distribute malware to as many sites as possible and hope for an infection.
Even as scammers deploy more advanced tools like DMSniff, other groups are using more sensational marketing to sell tools that appear to borrow from existing code.
The GlitchPOS malware revealed by Cisco’s Talos research team is custom-designed code meant to steal credit card information from hacked machines’ memory for $250. The author of GlitchPOS apparently is the same hacker who built the DiamondFox L!NK botnet in 2015 and 2016, a tool that promised to allow buyers to steal credit data, password credentials, or launched a distributed denial-of-service attack.
What differentiates GlitchPOS from similar scams is that its author published an instructional video on how to use the malware, walking viewers through the scheme step-by-step.
A generation of scammers have relied on point-of-sale (POS) malware to access customer credit information from victims including e-commerce sites, and at credit terminals and gas pumps at brick-and-mortar locations. It’s effective, too. Retail POS terminals were the second-most breached assets in retail locations, after database servers, according to Verizon’s 2018 Data Breach Investigation Report.