U.S. federal investigators today raided the Florida offices of PAX Technology, a Chinese provider of point-of-sale devices used by millions of businesses and retailers globally. KrebsOnSecurity has learned the raid is tied to reports that PAX’s systems may have been involved in cyberattacks on U.S. and E.U. organizations.
Headquartered in Shenzhen, China, PAX Technology Inc. has more than 60 million point-of-sale terminals in use throughout 120 countries. Earlier today, Jacksonville, Fla. based WOKV.com reported that agents with the FBI and Department of Homeland Security (DHS) had raided a local PAX Technology warehouse.
In an official statement, investigators told WOKV only that they were executing a court-authorized search at the warehouse as a part of a federal investigation, and that the inquiry included the Department of Customs and Border Protection and the Naval Criminal Investigative Services (NCIS). The FBI has not responded to requests for comment.
Several days ago, KrebsOnSecurity heard from a trusted source that the FBI began investigating PAX after a major U.S. payment processor started asking questions about unusual network packets originating from the company’s payment terminals.
According to that source, the payment processor found that the PAX terminals were being used both as a malware “dropper” — a repository for malicious files — and as “command-and-control” locations for staging attacks and collecting information.
“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”
KrebsOnSecurity reached out to PAX Technology’s CEO on Sunday. The company has not yet responded to requests for comment.
The source said two major financial providers — one in the United States and one in the United Kingdom — had already begun pulling PAX terminals from their payment infrastructure, a claim that was verified by two different sources.
“My sources say that there is tech proof of the way that the terminals were used in attack ops,” the source said. “The packet sizes don’t match the payment data they should be sending, nor does it correlate with telemetry these devices might display if they were updating their software. PAX is now claiming that the investigation is racially and politically motivated.”
The source was unable to share specific details about the strange network activity that prompted the FBI’s investigation. But it should be noted that point-of-sale terminals and the technology that supports them are perennial targets of cybercriminals.
It is not uncommon for payment terminals to be compromised remotely by malicious software and made to collect and transmit stolen information. Indeed, some of history’s largest cyberheists involved point-of-sale malware, including the 2008 breach at Heartland Payment Systems that exposed 100 million payment cards, and the 2013-2014 string of breaches at Target, Home Depot and elsewhere that led to the theft of roughly another 100 million cards.
Even if it were publicly proven today that the company’s technology was in fact a security risk, my guess is few retailers would be quick to do much about it in the short run. The investigation into PAX Technology comes at a dicey time for retailers, many of whom are gearing up for the busy holiday shopping season. What’s more, global computer chip shortages are causing lengthy delays in procuring new electronics.
Update, Oct. 27, 3:08 p.m. ET: Bloomberg reports that FIS Worldpay has removed PAX’s terminals from their infrastructure over security concerns.
FIS Worldpay told Bloomberg the company confirmed that it no longer deploys PAX point-of-sale devices “because it did not receive satisfactory answers from PAX regarding its POS devices connecting to websites not listed in their supplied documentation.”
“While we have no evidence that data running through PAX POS devices has been compromised, we have been working directly with clients to replace those devices with other options at no cost to them and with as little disruption to their business as possible,” Bloomberg reported. “The spokesperson said fewer than 5% of Worldpay clients currently use PAX point-of-sale devices. FIS’s shares were down 6.6% Wednesday afternoon in New York.”
Update, Oct. 27, 7:57 p.m. ET: PAX issued the following statement:
On Tuesday, October 26, 2021, PAX Technology, Inc. in the United States was subject to an unexpected visit from the Federal Bureau of Investigation (FBI) and other government agencies relating to an apparent investigation.
PAX Technology is not aware of any illegal conduct by it or its employees and is in the process of engaging counsel to assist in learning more about the events that led to the investigation.
Separately, we are aware of media reports regarding the security of PAX Technology’s devices and services. PAX Technology takes security very seriously. As always, PAX Technology is actively monitoring its environment for possible threats. We remain committed to providing secure and quality software systems and solutions.
We intend to keep our team and customers apprised of the situation.
In the meantime, it is business as usual at our locations and operations are continuing as normal. The PAX Jacksonville office and warehouse are both open at this time.
Update, Oct. 31, 8:39 p.m.: PAX has issued a Q&A to customers which maintains that concerns over the alleged unexplained traffic from PAX terminals are related to “the optional geolocation feature available on PAX terminals,” and “the use of dynamic IP addresses, commonly used for geolocation.”
“To make geolocation an available feature, PAX SmartPOS terminals utilize a third party geolocation service provider, just as your smartphone does,” the Q&A explains. “These services require devices to communicate geolocation information to third party IP addresses, some of which may be outside the country were the devices are operational.”