Tuesday, 6 March 2012

POS Carding


I got recently a package of files found in a infected POS (POS hacked due to a weak rdp password)



Interface of a compromised POS used by a jeweller:

out.exe is a Ardamax Keylogger (ardamax.com) and vui qua.exe is a SFX archive who display this picture when executed:

And drop Pefect Keylogger (blazingtools.com) behind.
"vui qua" might be a Vietnamese phrase which translated is "so funny".

These two keyloggers are probably useless for the carder, the interesting file here is "mmon.exe" a ram scraper.
It scan each and every process looking for CC dumps thats been written to memory Track 1, 2.
If a Point Of Sale device is connected to the computer it will grab it's card data right away.
How? POS always use end to end encryption, the only place where it's not encrypted are inside the memory.
But.. the memory have limited storage so it overwrites the data all the time.
It's also a problem for mmon, because this crap have no loop feature and does not write inside a file.
POS Carders usually use better malware than this, but i got this so...

(mmon.exe, "Kartoxa" is probably the distorted version of the word "potato")

mmon scanning process.

test of mmon with a valid track two in memory

When a dump is found, the program do nothing with it, it just display the stuff on console.
The bad guys just connect to the POS via RDP, get dumps via mmon and write them out on magnetic stripe with a card writer.

 (MSR606 USB Magnetic Stripe Reader Writer/Encoder)

Then use an embosser to make imprinted numbers on the card.
(A DXR 70C embosser)

And it's ready to use... in USA (Type 101)
The ones we have in Europe are 201 cards (pin and chip)
101 only need to swipes the card in a store and the cashier checks the 4 last digits on the card if they are corect.
Carders also use printers like Fargo to make fake identities.
Anyway, a POS malware have a high price, it's not a business that everyone can do.

8 comments:

  1. Could you inform the MD5/ Virus total scan of these files?
    Thanks in advance!

    ReplyDelete
  2. from what I have heard, security on POS systems are really poor

    ReplyDelete
  3. "Kartoxa" ))
    yeah, that a very funny type of saying potato in russian )

    ReplyDelete
  4. out.exe: 1843B06D1C161B42A8D3794B6E1E02CE
    vui qua.exe: 3F85A322E587D125D51E743804A4742E
    mmon.exe: 255DAA6722DE6AD03545070DFBEF3330

    ReplyDelete
  5. Kartoha is not potato. It is about "karton" (credit cards in russian carders slang.)

    ReplyDelete
  6. What kind of pos does that reflect on? Like the ones in wal mart? Those gray old crappy looking ones

    ReplyDelete
  7. Hi, give me link for this soft

    ReplyDelete