- In contrast to other POS malware, DMSniff used a DGA (Domain Generation Algorithm) to create C&C servers.
- DMSniff employs a string-encoding routine to hide and evade detection.
Flashpoint researchers observed a Point-of-Sale malware dubbed ‘DMSniff’ that targets small and mid-sized businesses in the entertainment, hospitality, and food industry in order to steal credit card information from customers. Researchers noted that DMSniff malware is active since 2016.
Worth noting - In contrast to other POS malware, DMSniff used a DGA (Domain Generation Algorithm) to create C&C servers.
- This helps the malware to continue to communicate with the compromised POS device even if its domain is taken down by law enforcement authorities.
- This also helps the malware in bypassing authentication and blocking mechanisms.
Researchers detected 11 variants of the DGA (Domain Generation Algorithm).
How is DMSniff distributed - Attackers can distribute the DMSniff malware to compromised POS devices by either physically tampering the devices, or brute-forcing weak passwords, or exploiting vulnerabilities that exist in the devices.
However, the primary aim of the malware is to steal credit card information.
How does DMSniff steal credit card information
- DMSniff steals credit card details from the magnetic stripes on the payment cards.
- The malware steals the information when payment cards are swiped at a payment counter but before its encrypted and sent to the payment processor.
- The stolen information is then sent to the C&C server operated by the attackers.
- Attackers would then abuse the stolen card information to make transfers and purchases for themselves or would sell the data to other cybercriminals on the underground forums.
How does DMSniff evade detection - DMSniff employs a string-encoding routine to hide itself and its C&C communication and in order to evade detection. Researchers noted that this protects the malware’s capabilities from detection, making it difficult for researchers to learn its capabilities.
“There doesn't appear to be targeting by region because we've found infections in various countries. All stolen data was sent to the authorities. In cases where we had merchant IDs from the stolen data, we have been successful in working with the appropriate financial institutions to contact the victims,” Jason Reaves, Principal Threat Researcher at Flashpoint told ZDNet.