Alina Point of Sale Malware Threat Actors Using Unsecured DNS Connections to Exfiltrate Data
Threat actors are using malware to steal customer payment card information from point-of-sale (POS) terminals. Alina Trojan uses available DNS connections on Windows based POS terminals to exfiltrate payment card data, according to cyber security researchers at Century Link’s Black Lotus Labs.
The malware, known as Alina Trojan, targets Windows-based point-of-sale (POS) devices to steal payment card data. it was first noticed in April of this year.
Credit card processing systems commonly run as Windows processes. Devices used to accept payments at retailers varies quite a bit. The POS terminal may even be a desktop computer that runs the POS application – especially at smaller retail locations.
POS terminals usually have HTTP protocols locked down or restricted for security reasons. But DNS is often left open. Alina malware uses unmonitored DNS protocols in POS terminals to steal payment card information and send it to the threat actors.
Domain name services (DNS) is the function that converts a website name into an IP address. DNS is an easy mark for POS malware because this protocol is often left open and unmonitored. This allows malware to use the connection to send stolen data back to cybercriminals. The malware encodes the stolen payment card information and issues a DNS query to the threat actor’s URL to exfiltrate it from the infected POS terminal. The stolen data is sent to a subdomain where the threat actors download it.
In 2019, the owners of Philadelphia based WaWa convenience stores announced that malware had infected their point of sale terminals. Over 30 million payment cards were stolen, making it when the largest data breaches of 2019. The malware had infected all WaWa point-of-sale terminals in stores and at fuel pumps from about March 2019 until it was discovered in December. The stolen bank cards and credit cards later turned up for sale on a dark web marketplace called Joker’s Stash.
Hackers make money by selling the stolen payment cards on the dark web.
Domains in Use for Alina POS Malware:
“Due to the strict security restrictions applied to credit card processing, HTTP and other common outbound traffic may be highly restricted in these environments. However, DNS is often left available, and too commonly goes unmonitored,” according to Back Lotus Labs.
Earlier versions of Alina malware used both HTTPS and DNS protocols for the exfiltration of the stolen credit card information.
During the credit card transaction, payment card information is decrypted and temporarily available in the machine’s memory. When a device is infected with Alina POS malware, it searches the RAM of the POS device for any unencrypted credit card information and sends it back to a server the hacker controls.
This type of malware is different than MageCart malware that has been making the rounds. MageCart only affects online shopping carts, but it also steals customer payment card information. MageCart works quietly in the background unbeknownst the website owners or the shopper.