Incident Response, TDR

The 10 POS malware families this holiday season

This holiday shopping season, many retailers have two goals in mind – make record-breaking sales and don't get breached.

Malware that specifically targets point-of-sale systems has seen a sharp increase in the past two years. Criminals have zeroed in on retail businesses using similar technical tactics to virtually break inside and steal payment card information. The malware exploits a core weakness in how credit cards are processed. For a brief moment, after a payment card magnetic stripe is swiped at a point-of-sale system, it is unencrypted in memory as the software initially analyzes the input. That is when the malware strikes. The attackers, having already compromised and installed the malware on the payment terminal, enable it to “listen” or constantly scan the computer's memory for this input and read the card data before it can be encrypted and sent on for authorization. It then makes a copy of the track data stored on the magnetic stripe and sends it back to the criminals, or stores it locally until it can be retrieved and used to commit fraudulent purchases.

Point-of-sale malware does not generally target specific types of retail businesses. It is a criminal tool that a technically savvy thief deploys to exploit a common system used across retailers from the big box megastores to mom-and-pop shops and everything in-between.

Here are ten popular families of point-of-sale malware that retailers should keep on their radar this holiday season:

The authors of Backoff have been busy. Since our researchers first identified and analyzed it a little more than a year ago, there have been more than twelve different variants discovered in the wild. The newest versions send back the stolen payment card information using SSL, the same protocol that protects consumers' information when they are shopping online.  This allows the criminals to securely transmit the data in an attempt to hide it from security products that might detect and raise an alarm that the ill-gotten gains are leaving home. 

We have seen at least six variants of this family during the past couple of years. One clever version co-opts DNS, the protocol used to translate domain names into IP addresses, to send back the stolen payment card data and IP address of the victim in a very unorthodox manner disguised as a sub-domain name.

This family of malware, also known by the name “Kaptoxa,” has a component that allows it to copy payment cards it has collected to another computer via local network shares where they are consolidated before being sent out of the victim's network.

This point-of-sale malware had a number of internal programming bugs that somewhat limited its ultimate effectiveness. JackPOS exfiltrates payment card data by sending it to attackers over HTTP with what is known as a POST request - a basic way for sending data to a web server. The malware does not employ even basic encryption to attempt to hide its communications.

Chewbacca was not nearly as widespread as some of the other more commonly used point-of-sale malware families our Trustwave research team encountered during the past year, but it does have a unique capability that none of the others in this list possess. Besides scraping memory looking for credit cards and logging all keystrokes typed into the system, this malware uses the Tor anonymity network to hide its communications. Like JackPOS, it uses a POST request over HTTP, except it sends that request over the Tor proxy service in an attempt to hide the command-and-control destination from investigators. 

vSkimmer is thought by some in the industry to be a descendant of the Dexter malware family. vSkimmer is an early example of point-of-sale malware that operates as a botnet. In addition to stealing payment card information, it can receive commands from a server controlled by the attackers to download and execute arbitrary commands on the victim's system. This expanded the capabilities of the malware to potentially conduct further attacks at a later time.

Dexter was involved in many breaches during 2013 and has three major variants. The most recent variant uploaded its payment cards to an FTP server. This is an uncommon technique for malware attacks since the username and password to access the server is often included in the malware itself and allows investigators and law enforcement to track the criminals as well as potentially gain access to other sensitive data the attackers may have stored on the system.

There were more than thirteen Alina variants discovered in the wild this past year. Each new release of the malware includes incremental improvements and tweaks to the code helping the attackers refine their results and prevent themselves from being detected by security defenses.

ProjectHook has been around for longer than most of the other examples on this list. Some of the earlier variants to ProjectHook were discovered back in 2012, but references to its code base are still being used in new malware families. ProjectHook has a unique ability to update the list of command-and-control servers with which it communicates.

This family of payment card memory scrapers is the least technically advanced example we have encountered to date. It leverages a legitimate IT administration scripting language, AutoIT, and uses the simplified programming code to gather the payment cards instead of using a compiled lower level language that requires a more formalized understanding of programming. Any discovered payment cards were sent back to the attackers via emails setup on a reoccurring timer.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.