Last week, KrebsOnSecurity broke the news of an ongoing credit card breach involving CiCi’s Pizza, a restaurant chain in the United States with more than 500 locations. What follows is an exclusive look at a point-of-sale botnet that appears to have enslaved dozens of hacked payment terminals inside of CiCi’s locations that are being relieved of customer credit card data in real time.
Over the weekend, I heard from a source who said that since November 2015 he’s been tracking a collection of hacked cash registers. This point-of-sale botnet currently includes more than 100 infected systems, and according to the administrative panel for this crime machine at least half of the compromised systems are running a malicious Microsoft Windows process called cicipos.exe.
This admin panel shows the Internet address of a number of infected point-of-sale devices as of June 4, 2016. Many of these appear to be at Cici’s Pizza locations.
KrebsOnSecurity has not been able to conclusively tie the botnet to CiCi’s. Neither CiCi’s nor its outside public relations firm have responded to multiple requests for comment. However, the control panel for this botnet includes the full credit card number and name attached to the card, and several individuals whose names appeared in the botnet control panel confirmed having eaten at CiCi’s Pizza locations on the same date that their credit card data was siphoned by this botnet.
Among those was Richard Higgins of Prattville, Ala., whose card data was recorded in the botnet logs on June 4, 2016. Reached via phone, Higgins confirmed that he used his debit card to pay for a meal he and his family enjoyed at a CiCi’s location in Prattville on that same date.
An analysis of the botnet data reveals more than 100 distinct infected systems scattered across the country. However, the panel only displayed hacked systems that were presently reachable online, so the actual number of infected systems may be larger.
Most of the hacked cash registers map back to dynamic Internet addresses assigned by broadband Internet service providers, and those addresses provide little useful information about the owners of the infected systems — other than offering a general idea of the city and state tied to each address.
For example, the Internet address of the compromised point-of-sale system that stole Mr. Higgins’ card data is 184.108.40.206, which maps back to an Earthlink system in a pool of IP addresses managed out of Montgomery, Ala.
Many of the botnet logs include brief notes or messages apparently left by CiCi’s employees for other employees. Most of these messages concern banal details about an employee’s shift, or issues that need to be addressed when the next employee shift comes in to work.
In total, there are more than 1.2 million unique credit and debit card numbers recorded in the botnet logs seen by this reporter. However, the total number of card accounts harvested by the cybercrooks in charge of this crime machine is probably far greater. That’s because the botnet logs go back to early April 2016, but it appears that someone reset and/or cleared those records prior to that date.
Only about half of the 1.2 million stolen accounts appear to have been taken from compromised CiCi’s locations. The majority of the other Internet addresses that appear in the bot logs could not be traced back to specific establishments. Others seem to be tied to individual businesses, including a cinema in Wallingford, Ct., a pizza establishment in Chicago (the famous Lou Malnatis), a hotel in Pennsylvania, and a restaurant at a Holiday Inn hotel in Washington, D.C.
This particular point-of-sale botnet looks to be powered by Punkey, a POS malware strain first detailed last year by researchers at Trustwave Spiderlabs. According to Trustwave, Punkey includes a component that records keystrokes on the infected device, which may explain why short notes left by CiCi’s employees show up frequently in the bot logs alongside credit card data.
Although CiCi’s has remained silent so far, the company’s main point-of-sale service provider — Clearwater, Fla.-based Datapoint POS — told KrebsOnSecurity last week that the hackers behind this botnet used social engineering to trick employees into installing the malware, and that the breach impacted multiple other point-of-sale providers.
“All of these attacks have been traced to social engineering/Team Viewer breaches because stores from SEVERAL POS vendors let supposed techs in to conduct ‘support,’” said Stephen P. Warne, vice president of service and support, in an email to this author. “Nothing to do with any of our support mechanisms which are highly restricted and well within PCI Compliance.”
Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.
Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy.
Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the phony transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).