The MajikPOS malware family’s activity was first spotted over two years ago. Malware experts who researched the threat found that the objective of the attacks carried out with the help of the MajikPOS malware is to collect credit card information. To achieve this, the MajikPOS threat would exploit a POS (Point-of-Sale) device and gather the credit card information of the individuals who use it. Most malware that targets POS devices tends to target companies in poorer regions, as it is more likely that they may have weaker security measures in place. However, in the case of the MajikPOS threat, the targets are located in the United States and Canada. It is likely that the attackers may have taken up this more challenging task because credit card details from this region can be sold for much higher prices on underground forums and markets.
How the MajikPOS Malware is Delivered
When studying the threat, cybersecurity researchers found that the systems, which were compromised by the MajikPOS malware, also had a RAT (Remote Access Trojan) present on them. This led them to believe that the authors of this threat have likely used a RAT as a first-stage payload and then utilized it to deliver and plant the MajikPOS malware on the infected system. Another way for the MajikPOS threat to find its way into a system could likely be by using a remote desktop application that has been secured poorly.
Scrapes Credit Card Information from POS Devices’ RAM
The MajikPOS malware scrapes the system’s RAM (Random Access Memory) and makes sure to locate and collect any data that may be related to credit card information. Since they are operating in the United States and Canada, the attackers know that the POS devices used by the institutions and businesses they are targeting will likely to be modern. This means that the information they are after will not be stored on the disk of the compromised device. Instead, more contemporary POS devices store credit card details in their RAMs, as this is far safer. However, as you can see, this security measure is far from enough to prevent cyber attacks.
The Collected Data is Sold on a Site Called ‘Magic Dump’
The MajikPOS threat has been programmed to look for any credit card data related to Visa, Mastercard, American Express, Discover, Diners Club, etc. All the credit card information that the MajikPOS malware gathers also will be checked with the help of the Luhn algorithm, which is meant to determine whether the data is valid. The information that passes through the Luhn algorithm check successfully will be exfiltrated to the C&C (Command & Control) server of the attackers. The authors of the MajikPOS threat will then put the collected data for sale on a website that they have set up. The site is called ‘Magic Dump,’ and it would appear that its culmination was when its operators had more than 23,000 credit cards’ information up for sale.
The authors of the MajikPOS threat seem to know what they are doing, and it is likely that they are very experienced when it comes to creating malware of this type. Institutions and businesses need to be very careful when handling the credit card information of their clients as mistakes can cost them their reputation and maybe their whole establishment.