BlackPOS

BlackPOS, also known as Kaptoxa, is a point-of-sale malware program designed to be installed in a point of sale (POS) system to scrape data from debit and credit cards. BlackPOS was used in the Target Corporation data breach of 2013.^[1]^[2]

History[edit]

The BlackPOS program first surfaced in early 2013^[3] and affected many Australian, American, and Canadian companies using point-of-sale systems, such as Target and Neiman Marcus. The program was originally created by 23 year-old Rinat Shabayev and later developed by 17-year-old Sergey Taraspov, better known by his online name, 'ree4'.^[4] The original version of BlackPOS was sold on online black market forums by Taraspov, under the name "Dump Memory Grabber by Ree", for around $2000.^[5] The name BlackPOS was found in the software's administration panel.^[3]

Operation[edit]

BlackPOS infects computers running on Microsoft Windows that have credit card readers connected to them and are part of a POS system.^[6] After installation, the program attaches to the pos.exe process and scans its memory for track 1 and track 2 payment card data.^[7] The data is then exfiltrated via SMB to a server within the company, where another component collects it and sends it to the attacker via FTP.^[7]

BlackPOS only sends stolen information during business hours, to avoid raising suspicion by generating network traffic at unusual times.^[8]

Incidents[edit]

BlackPOS has been used to steal customer information from businesses worldwide. The most well-known attack was the 2013 Target security breach.

Target[edit]

During Thanksgiving break of November 2013, Target's POS system was infected with the BlackPOS malware. It was not until mid-December that the company became aware of the breach. The hackers were able to get into Target's systems by compromising a company web server and uploading the BlackPOS software to Target's POS systems. As a result of this attack, more than 40 million customer credit and debit card information, and more than 70 million addresses, phone numbers, names, and other personal information, was stolen. About 1800 U.S. Target stores were affected by the malware attack.^[9]

Neiman Marcus[edit]

Neiman Marcus, another well-known retailer, was affected as well. Their POS system was said to have been infected in early July 2013 and was not fully contained until January 2014. The breach is believed to have involved 1.1 million credit and debit cards over the span of several months. Although credit and debit card information was compromised, Neiman Marcus issued a statement saying that Social Security Numbers and birthdates were not affected.^[10]^[11]

Other companies[edit]

Other affected companies included UPS and Home Depot.^[12]^[13]

References[edit]

^ "BlackPOS involved in Target’s POS machines"
^ "Malware Behind Target Credit Card Thefts Identified"
^ ^a ^b "Researchers find new point-of-sale malware called BlackPOS". PCWorld. Retrieved 8 January 2023.
^ Kumar, Mohit. "23-Year-old Russian Hacker confessed to be original author of BlackPOS Malware". The Hacker News. Retrieved 2016-11-05.
^ "A First Look at the Target Intrusion, Malware — Krebs on Security". krebsonsecurity.com. Retrieved 2016-11-05.
^ Sun, Bowen. "A Survey of Point-of-Sale (POS) Malware". www.cse.wustl.edu. Retrieved 2016-11-05.
^ ^a ^b "POS Malware Revisted"
^ "An evolution of BlackPOS malware". Hewlett Packard Enterprise Community. 2014-01-31. Archived from the original on 2016-09-26. Retrieved 2016-11-05.
^ Matlack, Michael Riley MichaelRileyDC Benjamin Elgin Dune Lawrence DuneLawrence Carol (2014-03-17). "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It". Bloomberg.com. Retrieved 2016-11-05.
^ "Neiman Marcus data breach said to have started in July and not been fully contained until Sunday | Business | Dallas News". Dallas News. 2014-01-16. Retrieved 2016-11-05.
^ Perlroth, Elizabeth A. Harris, Nicole; Popper, Nathaniel (2014-01-23). "Neiman Marcus Data Breach Worse Than First Said". The New York Times. ISSN 0362-4331. Retrieved 2016-11-05.{{cite news}}: CS1 maint: multiple names: authors list (link)
^ "Backoff and BlackPOS Malware Breach Retailers Point of Sale Systems". www.wolfssl.com. 11 September 2014. Retrieved 2016-11-05.
^ "Exclusive: More well-known U.S. retailers victims of cyber attacks - sources". Reuters. 2017-01-12. Retrieved 2016-11-05.

[efta-1] "BlackPOS involved in Target’s POS machines"

[screentalker-2] "Malware Behind Target Credit Card Thefts Identified"

[pcworld-3] "Researchers find new point-of-sale malware called BlackPOS". PCWorld. Retrieved 8 January 2023.

[4] Kumar, Mohit. "23-Year-old Russian Hacker confessed to be original author of BlackPOS Malware". The Hacker News. Retrieved 2016-11-05.

[krebs-5] "A First Look at the Target Intrusion, Malware — Krebs on Security". krebsonsecurity.com. Retrieved 2016-11-05.

[:1-6] Sun, Bowen. "A Survey of Point-of-Sale (POS) Malware". www.cse.wustl.edu. Retrieved 2016-11-05.

[cyphort-7] "POS Malware Revisted"

[hpe-8] "An evolution of BlackPOS malware". Hewlett Packard Enterprise Community. 2014-01-31. Archived from the original on 2016-09-26. Retrieved 2016-11-05.

[9] Matlack, Michael Riley MichaelRileyDC Benjamin Elgin Dune Lawrence DuneLawrence Carol (2014-03-17). "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It". Bloomberg.com. Retrieved 2016-11-05.

[10] "Neiman Marcus data breach said to have started in July and not been fully contained until Sunday | Business | Dallas News". Dallas News. 2014-01-16. Retrieved 2016-11-05.

[11] Perlroth, Elizabeth A. Harris, Nicole; Popper, Nathaniel (2014-01-23). "Neiman Marcus Data Breach Worse Than First Said". The New York Times. ISSN 0362-4331. Retrieved 2016-11-05.{{cite news}}: CS1 maint: multiple names: authors list (link)

[:3-12] "Backoff and BlackPOS Malware Breach Retailers Point of Sale Systems". www.wolfssl.com. 11 September 2014. Retrieved 2016-11-05.

[13] "Exclusive: More well-known U.S. retailers victims of cyber attacks - sources". Reuters. 2017-01-12. Retrieved 2016-11-05.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]