Treasurehunt POS malware discovered targeting banks and retailers

A group of hackers going by the name Bear Inc. has been targeting banks and retailers with a unique strain of malware that has so far managed to evade the attention of security admins.

Called Treasurehunt, it is a custom-built point of sale (POS) malware which is being used to exploit magnetic strip card systems before more companies turn to chip-and-PIN technology, according to ThreatPost.

Nart Villeneuve, principal threat intelligence analyst at FireEye said: “This group is very active in selling stolen credit card data. They are the only group using Treasurehunt malware, making it hard for security professionals to identify it.

"As time runs out for hackers to exploit older POS systems we are seeing an influx in related malware. There is nothing particularly unique in how Treasurehunt exploits these systems. But the relatively sparse sample set suggests that Treasurehunt may be deployed in a targeted manner rather than indiscriminately."

Bear Inc. is apparently using stolen credentials or brute force passwords attacks to get TreasureHunt onto POS terminals, enabling the hackers to harvest payment card information.

George Rice, senior director of payments at HPE Security commented: "First, EMV provides no protection for the transmission of sensitive payment information to the acquiring bank. After the EMV card validation process, the cardholder data must be delivered safely to the payment processor. By default, EMV does not provide ANY protections of data in transit to the processor. Criminals use POS malware, memory scrapers and other covert technologies to capture all of the payments data they need from unsuspecting retailers, despite the use of EMV. When such data breaches occur, retailers pay a hefty toll in the form of lost revenue, fines and penalties, executive job loss and even board-level lawsuits.

"Second, EMV does nothing to stop the use of stolen card information in online and mobile transactions. Criminals know they can monetise their card data heists by using the information in card-not-present purchase environments. And for the time being, criminals can use stolen cardholder data to create and use bogus mag-stripe cards until EMV has been ubiquitously deployed across the US market."

Image Credit: wavebreakmedia / Shutterstock