Newly uncovered malware uses DNS requests to siphon credit card data

Normally, point-of-sale malware uses HTTP requests to exfiltrate data. Using DNS requests allows attackers to avoid detection.
skimmer, sniffer, payment card, credit card, debit card, point of sale
(Getty Images)

Researchers have discovered new malware that relies on a unique way to steal credit card information from point-of-sale systems.

In a blog post published on Thursday, Forcepoint says its found malware that uses Domain Name System (DNS) requests in order to extract credit card information. That sets it apart from most other POS malware, which would normally use HTTP requests to exfiltrate data.

Luke Somerville, head of special investigations for Forcepoint Labs, says companies would normally look for unusual activity in their HTTP requests in order to detect data theft.

Somerville says the malware, which it is dubbing “UDPoS”, hasn’t affected any of Forcepoint’s customers, but that “there may well be people out there who we’re not protecting who may have been affected by this.” He added that Forcepoint was able to prove that the malware could successfully steal credit card data.


“They’re kind of just sneaking the data out in a way that people aren’t necessarily going to monitoring as closely as they would their web traffic, their email traffic, stuff like that,” Somerville told CyberScoop. “People often don’t monitor [DNS requests] that closely … Windows will make dozens of requests over the course of the day just in the process of finding out where its update server is.

The malware’s files are named to disguise the malware as an update from LogMeIn, a remote desktop control service, suggesting that the target would be POS systems that also use LogMeIn.

Somerville explained that businesses that use older POS systems might use LogMeIn or similar software in order to receive support from the POS system vendor.

“It wouldn’t be practical to send an engineer out to sort of manually update or fix them at every site if there’s a problem,” Somerville said. “It’s hard to say why they picked LogMeIn. It’s possible that the actors behind it were aware of a company that uses LogMeIn to remotely administer point of sale terminals.”

Somerville stressed that LogMeIn itself hasn’t been compromised, just impersonated. Forcepoint didn’t identify how the malware might be delivered, Somerville said. But LogMeIn, which has been in contact with Forcepoint about the threat, said in a blog post that it only delivers updates to its products from within the software, not through an external link, file or email.

Latest Podcasts