Alina
Point-of-sale (POS) devices may process the data of hundreds of credit cards on a daily basis – in some cases, this number might exceed a thousand, especially if the device used by a major business. This is why it does not come as a surprise that cybercriminals have turned their attention towards POS devices, and came up with various pieces of malware that are able to infiltrate these devices and collect credit card information from them. One of the popular POS malware families is Alina – a threat that has been functioning in the United States primarily and has been used to target businesses in the accommodation and restaurant business.
It is not clear how the attackers manage to exploit the targeted computer so that they get a chance to plant the Alina malware onto the targeted POS device. Two of the files linked to the attack are ‘Epson.exe’ and ‘Wnhelp.exe’ – while both of them use a similar method to extract the data from the targeted machine, they use entirely different techniques to acquire persistence and select the memory sections from which to exfiltrate the data. Typically, POS malware works by scraping the compromised device’s memory and looking for number combinations that pass the Luhn algorithm check.
The first sample only checks the memory of a specific list of system processes that are linked to POS operations. In the meantime, the other sample checks all processes apart from the ones blacklisted – mostly Web browsers, messaging applications and system processes. The data collected from the memory of the targeted processes is then checked via the Luhn algorithm and all positive results are saved.
Both variants of the Alina POS malware can receive commands from the attacker’s Command & Control server – the number of commands is small, but it would enable the attacker to update the malware or download and execute additional files onto the targeted system. The credit card data scraped by the attackers is often sold on underground hacking forums where the price of a single card can exceed $100 depending on the country of origin.
POS devices in the accommodation, retail and restaurant businesses are usually the primary targets of the attackers, since these places are unlikely to have dedicated IT staff to monitor their systems.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.