Image

Image

From a malware collection point of view, it was probably easier for adversaries to send data to clearinghouses. It also may have helped them keep a little bit of distance from the POS terminals. But, from an investigative point of view we loved it because it made the operation very noisy.PinkKite also stands out for its use of hard-coded double-XOR encryption on credit card details it scrapes from memory as another method to evade detection. It then takes that obfuscated information, stores it along with as many as several thousand other credit card records in compressed files, and writes the files onto one of the three clearinghouse remote systems. Bromiley and Dayter first learned of the threat from a client when it told them in 2017 that someone was selling its customers' payment card details on the black market. From their follow-up investigation, the researchers discovered that the malware was storing Track II magnetic stripe data in memory but was also capturing transactions that were sometimes years old. PinkKite pulled off this feat because the affected POS server ran an SQL database that upon boot-up loaded two separate tables containing historical track data into memory, where it then scraped all that information. In their presentation for Kaspersky's summit, Kroll's experts did not provide many details about the attackers behind PinkKite, a name they came up with using random naming conventions. The ongoing emergence of threats like PinkKite highlights the need for retailers and other organizations to strengthen the security of their POS infrastructure. For information on how Tripwire can help, click here.