Kaptoxa is part of a set of malicious code that in varying manifestations is also known as BlackPOS and Trojan.POSRAM. POS stands for Point of Sale, the systems that process payments at cash registers and card-swipe machines. This trinity of malware is responsible for over twenty POS attacks in recent years, most notably the data breaches of Target in December 2013 and Home Depot in September 2014. These massive thefts of over 100 million customers’ personal data, including credit card information, rocked the country with its scale and impact. Both companies have settled lawsuits from customers and banks, some of which are still in litigation. Target has paid out over $18 million and Home Depot over $25 million in settlements to date.
Criminals enacted two very similar, operationally sophisticated systemic attacks to access The Home Depot and Target’s transaction data. Initially, phishing attempts were made on third party vendors, with one being successful. Once malware was installed on the vendor machine, passwords were accessed and entry was made to the company’s system. Because of information published on the basic makeup and information flow of enterprise software, the criminals were able to unlock doors in a hacker’s perfect puzzle.
After accessing the peripheral systems, the next target was the Kaptoxa upload to retailer point of sale machines (some of which was made easier because the Microsoft Server default password was still in use). Kaptoxa malware recorded all data, and then loaded it to outside servers. Credit card information was then sold on the black market. Kaptoxa’s code slipped by almost all anti-virus software. Even though Target had security software and a security team in place, the one alert was unheeded by Target corporate when notified by remote security personnel. Because of this, the attack went on for over two weeks of intense holiday shopping. Home Depot’s time of vulnerability is even worse, going from April to September 2014.
To understand how Kaptoxa was able to access card data, it is important to know the flow of data encryption in a card transaction. Using a magnetic strip on a credit card, the POS machine reads transaction essential information: card owner, type, expiration, etc. In that moment, the unencrypted information is held within the POS terminal’s Remote Access Memory (RAM). Within milliseconds, this sensitive data is encrypted and sent to the merchant and bank’s processing systems. Enter Kaptoxa, a RAM scraper. At that glimmer of plaintext access, Kaptoxa scraped the card data to be sent to outside servers, bulked and distributed to underground card brokers.
Several bodies have conducted investigations into Kaptoxa’s creation, distribution and implementation: the United States Secret Service and Federal Bureau of Investigations, the United States Computer Emergency Readiness Team, and several private firms that specialize in web security. One of the co-creators of Kaptoxa, Rinat Shabayev, a Russian hacker, has admitted responsibility for writing some of the initial code and then selling it. Another major player is Rescator, a young Russian programmer with links to cybercrime organizations allegedly running one of the primary stolen card resell websites. Much of the intelligence gathered on Kaptoxa, BlackPOS, and Trojan.POSRAM point to Russia and/or areas that were part of the former USSR, and especially Ukraine. Hidden as text strings inside the Home Depot versions of Kaptoxa and BlackPOS’s code were certain anti-American sentiments and political statements on American influence espousing democracy in Ukraine, Syria, Libya, and Egypt. This inclusion of political commentary within operationally and technically complex malware adds another dimension to the motivations of the cyberattackers behind Kaptoxa.