What is POS Malware?

POS malware is specifically designed for point-of-sale (POS) terminals and systems with the intention of stealing payment card data. It is commonly used by cybercriminals who want to resell stolen customer data from retail stores. Payment card data is encrypted end-to-end and is only decrypted in the random-access memory (RAM) of the device while the payment is processing. A POS malware attack enters through compromised or weakly secured systems and scrapes the RAM to find payment card data, which is then sent unencrypted to the hacker.

How Does POS Malware Work?

POS malware is often called a process scanner by IT professionals because it scans active processes on devices and scrapes anything that could potentially be useful, usually credit card data. It searches for data that matches the Track 1 or Track 2 format encoded in the magnetic strip of a credit card. This data includes the card holder’s name, primary card number, charge types permitted, and discretionary data, which can include PINs. The unencrypted data is only available for a very short amount of time when it enters the database on the device. POS malware is designed to instantly acquire the data before it becomes encrypted. Once the malware obtains the data, it sends it to another server where the cybercriminal is able to sort through the data and find credit card numbers. With the payment card data, cybercriminals can sell the information on the dark web or make fraudulent purchases depending on what was scraped.

What Are the Different Types of POS Malware?

BlackPOS is designed for Windows-running computers that are part of a POS system. BlackPOS does not have offline data extraction and stolen data is uploaded to remote servers online, giving hackers more flexibility. BlackPOS was used in the giant Target POS breach in 2013.

TreasureHunt was custom-built by a particular hacker group selling stolen credit card data. This malware exploits stolen or weak credentials in order to install itself onto the device and targets retailers still using the older swipe systems. TreasureHunt then extracts credit card data from the device’s memory and sends it to the command and control server.

NitlovePOS gathers track-one and -two payment card data by scanning running processes of a compromised machine. It then uses SSL to send the stolen data to a web server. This malware also uses spam emails with a malicious attachment to trick users into downloading the malware. Once the malware is on the device, it isn’t immediately visible as it copies itself to disk and respawns if someone tries to delete it.

PoSeidon installs a keylogger on the compromised device and scans the memory of the device for credit card numbers. The keystrokes, which could contain passwords, and credit card numbers are then encoded and sent to another server. This malware can still run in memory if the user logs off and can stay hidden using clouding techniques.

MalumPOS is configurable and masks itself as a display driver on the infected device. It then monitors running processes and scrapes the memory of the infected device for payment information. This malware typically targets systems running on Oracle MICROS and that are accessed via Internet Explorer.

How Can I Protect Against POS Malware?

There are a few things that retail managers and security professionals can do to protect their POS systems from hackers:

• Whitelisting technology can provide protection from unauthorized practices running in POS systems. Whitelisting allows only pre-approved applications to run on a system.
• Use code signing. Code signing is a cryptographic value signed to a specific binary executable as a verifiable check against tampering. This ensures that every program is checked before it runs so that the system is not tampered with.
• Use chip readers. EMV technology used by chipped cards allows customers to avoid swiping. Magnetic stripes contain unchanging data, but the chips in EMV cards produce a unique transaction code every time. This makes it more difficult to replicate payment card data.