Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

vSkimmer Botnet Targeting Payment Card Terminals Connected to Windows

McAfee has shared details of a new botnet circulating on criminal forums, mostly out of Russia, which targets payment card terminals connected to Windows systems. The botnet, named vSkimmer, has been around since February and appears to be an ongoing project for the person selling it.

McAfee has shared details of a new botnet circulating on criminal forums, mostly out of Russia, which targets payment card terminals connected to Windows systems. The botnet, named vSkimmer, has been around since February and appears to be an ongoing project for the person selling it.

In a blog post discussing their research on vSkimmer, McAfee’s Chintan Shah says that vSkimmer is the successor to Dexter – financial malware responsible for the loss of nearly 80,000 credit card records and the successful breach of payment card data at scores of Subway restaurants in 2012. vSkimmer however has more functionality when compared to Dexter, mostly on a developmental level though. However, the author of vSkimmer says it’s easier to use.

In a forum post, vSkimmer is pitched as an advanced tool that will capture credit card data from systems running Windows that host payment processing software. vSkimmer will detect card readers and capture all of the track data collected, encrypt (Base64) the data and ship it off to a control server for later retrieval. Like Dexter, vSkimmer is said to be completely undetectable on the compromised host.

vSkimmer

In the event that the Web is unavailable, vSkimmer will wait for a named USB device to be attached to the system, and automatically dump the collected data to the removable device. In addition, it uses a whitelisting routine to look for actionable processes, by checking each process ran on the system that isn’t on the ignore list and using pattern matching to extract the card’s Track 2 data. Track 2 is where the card number, three-digit CVV code, and expiration date are stored.

If present in the terminal software, the person selling vSkimmer says it will also ferret out any additional data, including names and PINs, but McAfee’s research didn’t confirm this.

“VSkimmer is another example of how financial fraud is actively evolving and how financial Trojans are developed and passed around in the underground community. This botnet is particularly interesting because it directly targets card-payment terminals running Windows,” Shah explained in his post.

Additional technical information is available here.  

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.