FBI raids Chinese Point-of-Sale giant PAX Technology

U.S. federal investigators raided the Florida offices of PAX Technology, a Chinese provider of point-of-sale devices used by millions of businesses and retailers globally. KrebsOnSecurity has learned the raid is tied to reports that PAX’s systems may have been involved in cyberattacks on U.S. and E.U. organizations.

Headquartered in Shenzhen, China, PAX Technology Inc. has more than 60 million point-of-sale terminals in use throughout 120 countries. Earlier today, Jacksonville, Fla. based WOKV.com reported that agents with the FBI and Department of Homeland Security (DHS) had raided a local PAX Technology warehouse.

FBI Statement: “The FBI Jacksonville Division, in partnership with Homeland Security Investigations, Customs and Border Protection, Department of Commerce, and Naval Criminal Investigative Services, and with the support of the Jacksonville Sheriff’s Office, is executing a court-authorized search at this location in furtherance of a federal investigation. We are not aware of any physical threat to the surrounding community related to this search. The investigation remains active and ongoing and no additional information can be confirmed at this time.”

Dale Carson, Action News Jax’s law and safety expert who has decades of experience in law enforcement, including as a special agent for the FBI, said to wokv.com that it’s the function of the foreign company that makes the investigation so important.

“Point-of-sale equipment, when you stripe a card or you tap it now, it’s a gateway to you and to the credit company. So any middleman, which is what it’s called, in between that, that is placed in there by someone with evil intent, can obtain information directly from that,” he said.

Carson said there is no way to know what they’re investigation, but that’s what he suspects.

Several days ago, KrebsOnSecurity heard from a trusted source that the FBI began investigating PAX after a major U.S. payment processor started asking questions about unusual network packets originating from the company’s payment terminals.

According to that source, the payment processor found that the PAX terminals were being used both as a malware “dropper” — a repository for malicious files — and as “command-and-control” locations for staging attacks and collecting information.

“FBI and MI5 are conducting an intensive investigation into PAX,” the source said. “A major US payment processor began asking questions about network packets originating from PAX terminals and were not given any good answers.”

It is not uncommon for payment terminals to be compromised remotely by malicious software and made to collect and transmit stolen information. Indeed, some of history’s largest cyberheists involved point-of-sale malware, including the 2008 breach at Heartland Payment Systems that exposed 100 million payment cards, and the 2013-2014 string of breaches at Target, Home Depot and elsewhere that led to the theft of roughly another 100 million cards.

Bloomberg reports that FIS Worldpay has removed PAX’s terminals from their infrastructure over security concerns.

The company, PAX Technology, provided the following statement on the raid:

„On Tuesday, October 26, 2021, PAX Technology, Inc. in the United States was subject to an unexpected visit from the Federal Bureau of Investigation (FBI) and other government agencies relating to an apparent investigation.

PAX Technology is not aware of any illegal conduct by it or its employees and is in the process of engaging counsel to assist in learning more about the events that led to the investigation.

Separately, we are aware of media reports regarding the security of PAX Technology’s devices and services. PAX Technology takes security very seriously. As always, PAX Technology is actively monitoring its environment for possible threats. We remain committed to providing secure and quality software systems and solutions.

We intend to keep our team and customers apprised of the situation.

In the meantime, it is business as usual at our locations and operations are continuing as normal. The PAX Jacksonville office and warehouse are both open at this time.„