FBI Warns Retailers of New Credit Card Malware

Punkey is latest point-of-sale credit card hack

credit cards
June 2, 2015

A recent cyber attack against a restaurant chain’s credit card system prompted the FBI to issue a warning last week that criminal hackers are using new malicious software to steal personal financial data.

An internal FBI cyber alert sent to U.S. companies Wednesday states that Bureau cyber investigators have identified software signatures used in a new point-of-sale malware called "Punkey," after the 1980s sitcom character Punky Brewster.

"Cybercriminals continue to deploy point-of-sale (PoS) malware due to the number of targets connected to the Internet and large potential profits," says the FBI alert, known as a FLASH notice.

"In the past year, there has been an increase in restaurants, casinos, hotels, and resorts targeted by PoS malware. Cybercriminals infect victim networks to extract credit card information and quickly monetize it within cybercriminal forums."

The notice, required as part of the FBI’s legal requirement to notify victims of cyber attacks, states that investigators have "high confidence" that the new malware was used in "a recent network intrusion against a restaurant chain" that was not identified by name.

The FBI said its investigation into the use of Punkey against the restaurant chain is ongoing.

FBI officials declined to identify the restaurant chain or provide additional information.

"The FBI is distributing these indicators to enable network defense activities and to reduce the risk of similar attacks in the future," the notice says. "The FBI has high confidence that these indicators were involved in past network intrusions and will continue to be utilized in the future by cyber criminals."

Security technicians are being urged to identify victims of Punkey hacks, and to remove the hacking software from within secure payment networks.

Cyber security expert Brian Krebs said he is unfamiliar with the restaurant chain mentioned in the alert.
"From my perspective, it could be any one of thousands out there that are currently compromised," said Krebs, who runs
"It's really epidemic at this point, I'm afraid."

Several high-profile hacks have used PoS malware in recent years, including those against the retailers Target, Home Depot, Michaels, and Neiman Marcus, and the restaurant chains P.F. Chang’s and Jimmy John’s. The Jimmy John’s hack was disclosed in September and is the most recent high-profile point-of-sale criminal cyber attack.

The malware works by scanning and "scraping" uncoded plaintext credit card data that is found in the random access memory of payment processing computers, card readers, and terminals that are used to make purchases, by sliding credit cards through a reader during payment transactions.

Criminal hackers have been able to penetrate the Internet-based networks used in the payment systems and obtain the credit card information from millions of consumers.

The stolen data is then posted for sale to others online in so-called "dark net" forums used by criminals and other hackers.

Jimmy John’s said Sept. 24 that credit and debit card data was stolen at 216 of its stores on July 30, Reuters reported.

A hacker broke into the company’s network and stole log-in credentials from a company vendor and used credentials to remotely access point-of-sale systems.

The new Punkey malware was discovered by security researchers at Trustwave, a Chicago security firm, that described it in a blog post as a sophisticated cyber threat. The malware is capable of injecting itself into computers, conducting scans of systems, encrypting stolen data, and then communicating with remote servers that are used to store and retrieve stolen credit card data.

Researchers at Trustwave and the U.S. Secret Service said Punkey operates in ways similar to another PoS malware called NewPOSThings.

Punkey, however, utilizes an advanced encryption data-scrambling capability with an embedded de-coding key.

Punkey also has capabilities that allow the malware to download additional malware tools into infected systems.

Some 75 point-of-sale terminals were found to be infected by Punkey software, according to security researchers.

Trustwave’s Eric Merritt said in a blog post that the malware was named after a part of its code that spells P(ost)unkey, and thus similar to the character in the sitcom.

"While this malware shares some commonalities with [the NewPOSThings] family, it departs from the standard operating procedure of the previous versions rather dramatically," Merritt said.

According to Merritt, Punkey comes in 32-bit and 64-bit versions that infect Microsoft Windows software used in payment terminals. The malware captures payment data as it is being processed and can also record key strokes of employees who type in additional information during a credit card transaction.

Once the malware penetrates computers, it sets up registry startup tools that make it difficult to detect and remove the software.

By encrypting the stolen credit card numbers and other data, the cyber criminals using Punkey make it more difficult for other criminals to steal the data from them. The coding also adds to the value of the stolen credit card numbers sold later on the Internet black market.

Punkey can also inject other malicious files, including software updates—a feature that could be used by cyber criminals to avoid detection by security software.

The increasing use of both credit card terminal malwares, NewPOSThings and Punkey, "suggests that multiple actors may be using similar source code, or the malware is being customized as a service for targeted campaigns," Merritt said in the April 15 post, declining to provide further details because of the investigation.

Merritt said a key feature is Punkey’s ability to inject additional malware from remote servers and check for updates.

"This gives Punkey the ability to run additional tools on the system, such as executing additional reconnaissance tools, or performing privilege escalation," Merritt said. "This is a rare feature for PoS malware."

The new software has been in operation since October 2014.

Another point-of-sale malware uncovered in recent months is PoSeidon, which is known to have infected restaurant, bar, and hotel payment terminals in the United States.

Published under: Cyber Security , FBI