Uncovering the new modus operandi behind POS infections

In the Cyber Fraud world there are numerous ways of doing business. One of the most well-known fraud activities that has been alive for years is the credit card theft. Like any other business it has evolved and improved its different techniques in order to survive and to maximize the Return of Investment (ROI).

During the last years, cyber criminals have been adopting new approaches involving the usage of malware in order to infect Point of Sales (POS) devices. This issue has been widely documented by the IT-Security community. But, still, there is some confusion and misunderstanding about how the different gangs proceed in order to infect POS devices of big Companies, like Target.


Until now, gangs used to focus the efforts looking for installed backdoors in the target servers or, in a more aggressive way, compromising the targeted server exploiting its vulnerabilities. After the intrusion, the compromised server is controlled – and used – by the attacker to steal all the interesting information contained and to try to infect the internal network and target new possible POS devices.

With the aim of gathering Credit Cards, a different approach has arisen in the last years. The new modus operandis, that we have observed and analyzed in the company, consists of the usage of massive scanners in order to detect a well-known (and widely deployed) service used in POS devices, in this case, pcAnywhere, which runs in port 5631 and is usually publicly accessible.

Once the service is detected a bruteforce attack is launched, since the POS service is usually poorly configured, the gangs only need to use a small – really small – list of credentials, composed by usernames and passwords in order to guess a valid pair to authenticate.

Keeping in mind that the massive scans are launched to analyze wide ranges of IP’s, more than a million, in different countries worldwide (Asia, Oceania, Europe, North America, Middle East), the potential fraud is huge.

Once they have access to the server they drop a piece of POS malware, in this case they install Dexter’s family binaries, which have as a main goal to steal the tracks – information of the magnetic stripe – of the credit cards that store all the information to replicate the physical card. After the gathering, the malware will send all the stolen data to a Command and Control (C&C) server run by the fraudsters.

Xavier Galian and Jesus Olmos

Ecrime analysts at Blueliv

Dark Commerce

Exploring the cybercrime industry and its business models: part 1

Read free report
Demo Free Trial MSSP