CenturyLink’s Black Lotus Labs warns organizations of credit card theft
DENVER, July 1, 2020 – Point-of-Sale (POS) malware is nothing new, and the Alina malware – which cybercriminals use to scrape credit card numbers from POS systems – has been around many years. New intelligence from CenturyLink’s Black Lotus Labs, however, revealed that criminals are not yet done with Alina, and they continue to find new ways to use it to steal unsuspecting victims’ credit- and debit card data.
The theft was discovered after one of Black Lotus Labs’ machine-learning models flagged unusual queries to a specific domain in May 2020. Rigorous research determined that the Alina POS malware was utilizing Domain Name System (DNS) – the function that converts a website’s name into an IP address – as the outbound communication channel through which the stolen data was exfiltrated.
“Black Lotus Labs has reached out to customers impacted by the Alina malware and the registrars of the malicious domains,” said Mike Benjamin, head of CenturyLink Black Lotus Labs. “Our mission is to leverage our network visibility to protect our customers and keep the internet clean, so we will continue to monitor this situation as we work to eliminate the threat. We strongly recommend that all organizations monitor DNS traffic for suspicious queries to prevent this and other threats.”
The Bottom Line:
POS malware continues to pose a serious security threat, and DNS is a popular choice for malware authors to bypass security controls and exfiltrate data from protected networks. Malicious actors regularly update their Tactics, Techniques, and Procedures (TTPs) to evade detection, so the best defense is continuous monitoring for anomalous behavior.
Details Of Black Lotus Labs’ Findings Can Be Found in the Alina POS Malware Blog: https://blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns
How and Why DNS is Important:
Credit card processing systems often run in Windows environments, allowing them to be targeted by the existing skills of the crimeware markets. Although credit card processing occurs in highly restricted environments, DNS often goes unmonitored, which makes it an attractive choice for outbound communication in POS malware, including the exfiltration of stolen credit card information.
To do this, malware authors encode the stolen information and issue a DNS query to the actor-controlled domain name. The encoded data is placed in a subdomain, which the malicious actors then extract when they receive the DNS query. The stolen data is subsequently sold in underground criminal markets.
Key Research Findings:
- Four domains showed similar DNS queries. A suspicious-looking fifth domain was unused, but it was hosted on the same IP. This redundancy is designed to allow the malicious actors to maintain their presence even if one or more of the compromised domains is blocked.
- Black Lotus Labs was able to identify the encoding methodology that Alina used and confirm the exfiltration of the stolen data.
- Some of the processes found in the decoded data have been seen in previous Alina attacks, and others have been used with other POS malware.