POS (or point-of-sale) areas are constant targets for criminals and for good reason. The POS is a treasure trove of customer data, from credit cards to banking info, and it has proven a lucrative target in the past. Infecting these point-of-sale areas with malware is not as difficult as it may seem, and for that reason, nefarious coders continue to craft malware in order to make a quick buck. The newest POS malware that has the cybersecurity community’s attention goes by the name of PinkKite.
PinkKite was discussed in-depth recently at Kaspersky Lab’s Security Analyst Summit. In the Threatpost article that covered the presentation, numerous points were discussed about PinkKite’s function and the threat it poses. The research was presented by Courtney Dayter and Matt Bromiley of Kroll Cyber Security.
According to the presentation, PinkKite (a name chosen almost at random) was first uncovered in 2017 as a part of a larger investigation into POS malware attacks. The malware is small, coming in at roughly 6KB, which allows it to avoid detection by IDS programs. PinkKite is unique when compared to its fellow point-of-sale malware. This point was discussed in depth via the following statement in the presentation:
Where PinkKite differs is its built-in persistence mechanisms, hard-coded double-XOR encryption (used on credit card numbers) and backend infrastructure that uses a clearinghouse to exfiltrate data to.
So far PinkKite has been employed to primarily collect credit card and debit card data (which is where the XOR encryption comes in handy). While researchers have not shared who they believe is behind the malware, they did confirm that PinkKite has been successfully deployed in the wild. According to the Kaspersky presentation, it is certain that at least one major company has come under attack by the malware and there will likely be more to follow.
Photo credit: PxHere