Home / Industry

BriansClub & PoS Malware Attacks: How Threat Intelligence Solutions Help Prevent Payment Card Theft

BriansClub[.]at, an underground website that peddles stolen payment card data, was reportedly hacked. Here’s what we know of the breach based on an initial report:

  • In September, KrebsOnSecurity.com received a link from an unknown source that led it to 10Gb worth of payment card details (credentials for 26 million credit and debit cards).
  • The dump accounts for about a third of the 87 million sensitive card data for sale on the Dark Web.
  • Said sensitive financial information was stolen from online and physical stores over the past four years. Malware-infected point-of-sale (PoS) systems were the leading attack vector.
  • BriansClub buyers and resellers were identified through their ID numbers. The database stores ID numbers attached to sold payment card information.
  • Card pricing depends on the issuing region and demand. A U.S.-issued card costs US$12.76—$16.80 per piece. A non-U.S. card costs US$17.04—$35.70 each.

The most common method by which PoS malware infects hosts is through insider threats and phishing. A knowledgeable employee may install the malware on card-reading machines or retrieve higher-ups’ access credentials by guessing username-and-password combinations.

Meanwhile, targeted attacks may employ the use of social engineering tactics to trick email recipients into downloading the PoS malware onto their computers. So say you (or someone you work with) receive an email with a suspicious attachment and you want to assess the sender’s integrity. Let us show how you could go about it.

Our Investigative Tools: Threat Intelligence Platform and Others

A primary example of a PoS malware is NitlovePOS, which has been distributed via spoofed Yahoo! Mail accounts. Messages associated with this malware dupe users into opening a Microsoft Word attachment that downloads NitlovePOS onto devices.

Knowing that, it may be best for users to check if any of the email addresses attempting to interact with any of their employees is valid. They can use an email verification API for that.

Reminding users not to open documents attached to emails sent by unknown senders is also critical as the simple act of opening a malicious document can drop NitlovePOS on their computers. Outright blocking of attachments with macros can also be enforced throughout the network.

Looking at publicly available reports can also help establishments beef up their cybersecurity posture. Take a look at a sample step-by-step account of how we carried out a risk assessment given that we do not have information on the email addresses used in the attack:

  1. We learned from a report that the malware had three command-and-control (C&C;) servers—systeminfou48.ru, infofinaciale8h.ru, and helpdesk7r.ru. From Virus Total, we found from a third party that all three seem to resolve to the same IP address— We ran a Threat Intelligence Platform (TIP) query on it and found that it was owned by G-Core Labs S.A.
  2. We ran a reverse WHOIS search on the organization and found 14 domains whose records contained it.
  3. Although the TIP checks on each of these domains did not reveal ties to malware, some of them had minor warnings such as open ports and missing SSL certificates. Exposed ports can be easily exploited by cyber attackers. It is also interesting to note that a lot of the domains seem to be related to a massive multiplayer online (MMO) game called “World of Tanks.” Players should be wary as well, especially if they are using computers connected to the same network as PoS devices or systems.

The quick exercise above shows how crucial it is to uncover if the domains that are trying to interact with your network are secure or not. While not all investigations would instantly reveal ties to malicious activity, it doesn’t hurt to exercise due diligence.

To further bolster security, companies must ensure that the customer data they keep is encrypted according to industry standards. Retail operations and banks should also enforce stricter access controls and code-signing certificates before processing card transactions. Lastly, IT teams should deploy patches to vulnerable PoS systems regularly to prevent exploitation.

* * *

Cyberthreats can come from all fronts. Often, parties who fall victim to attacks failed to secure their data operations despite having ample resources to do so. Still, the best way to avoid the repercussions of compromised card data is to prevent them in the first place. Security solutions such as Threat Intelligence Platform (TIP) and other domain research and monitoring tools empower organizations to stay ahead of cyber risks before these become a huge problem.

By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services

Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign