POS (Point-of-sale) devices have been a point of interest for cybercriminals since forever. They have found numerous ways to infiltrate and manipulate POS throughout the years but with the advancement of malware come the advancement of cybersecurity too. Banks and financial institutions have been investing a lot into this issue and have made it more difficult for cyber crooks to take advantage of them increasingly. This is why there has been seen a decline in the hacking attacks targeting POS devices in recent years. However, this does not mean that such operations have been fully halted. Among the most prominent malware families that target POS devices is the Alina family. Alina seems to target companies in the food industry and accommodation that operate in the United States mainly.
It is not yet revealed how Alina is being propagated by its authors. However, when Alina plants itself on a system, two executable files seem always to be present – 'Wnhelp.exe' and 'Epson.exe.' Both have a nearly identical approach to collect the data targeted but vary the methods of implementing their other features greatly. They select different sections of the memory to harvest data from, and also apply different methods when acquiring persistence on the infected machine. Like most malware that is built to target POS devices, Alina uses the Luhn algorithm to confirm the validity of the collected credit card information.
Both samples have the same end goal – collect credit card information. They have a different approach to it, however. The first sample works with a selected list of 7-8 processes and monitors their interactions with the memory – looking for credit card data. The other works with all processes apart from the ones that are blacklisted. After the targeted data has been collected, it is being run through the Luhn algorithm with all the confirmed information being saved on the servers of the attackers.
Both samples have a limited amount of features. However, the attackers are able to control them via their Command & Control servers and can get them to upload and execute other files on the system that was penetrated. They also have the ability to update Alina. If you are wondering what could cybercriminals do with so much collected data, the answer is that they sell it, often on the Dark Web, to other shady individuals with questionable morals.
Some smaller companies who use POS devices often overlook the threats that could be lurking online, and this neglect can cost their business and their customers dearly.