Point-of-sale malware

Last updated
A point of sale card terminal Betalings terminal.jpg
A point of sale card terminal

Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. [1] The simplest, or most evasive, approach is RAM-scraping, accessing the system's memory and exporting the copied information via a remote access trojan (RAT) as this minimizes any software or hardware tampering, potentially leaving no footprints. [2] POS attacks may also include the use of various bits of hardware: dongles, trojan card readers, (wireless) data transmitters and receivers. [3] Being at the gateway of transactions, POS malware enables hackers to process and steal thousands, even millions, of transaction payment data, depending upon the target, the number of devices affected, and how long the attack goes undetected. [4] This is done before or outside of the card information being (usually) encrypted and sent to the payment processor for authorization.

Contents

List of POS RAM scraper malware variants

Rdasrv

It was discovered in 2011, and installs itself into the Windows computer as a service called rdasrv.exe. [5] It scans for track 1 and track 2 credit card data using Perl compatible regular expressions which includes the customer card holder's name, account number, expiry date, CVV code and other discretionary information. Once the information gets scraped it is stored into data.txt or currentblock.txt and sent to the hacker.

Alina

It was discovered in October 2012 and gets installed into the PC automatically. It gets embedded into the Auto It script and loads the malware into the memory. Then it scrapes credit card (CC) data from POS software. [6]

VSkimmer

Vskimmer scrapes the information from the Windows system by detecting the card readers attached to the reader and then sends the captured data to the cyber criminal or control server. [7]

Dexter

It was discovered in December 2012 to steal system information along with the track 1 and track 2 card details with the help of keylogger installed onto the computer.

BlackPOS

It is a spyware, created to steal credit and debit card information from the POS system. BlackPOS gets into the PC with stealth-based methods and steals information to send it to some external server. [8]

Backoff

This memory-scraping malware tracks Track 2 data to access the card magnetic stripe with the help of magnetic stripe readers and sends data to hacker to clone fake credit cards.

FastPOS

FastPOS Malware is a POS malware that was discovered by Trend Micro researchers. This strikes the point of sale system very fast and snatches the credit and debit card information and sends the data to the cyber criminal instantly. The malware has the capability to exfiltrate the track data using two techniques such as key logger and memory scraper. [9] [10] [11]

PunkeyPOS Malware

PandaLabs discovered this malware and it infects the point of sale system to breach credit and debit card details. [12] PunkeyPOS Malware uses two functions such as keylogger and RAM Scraper to steal information at Point of Sale Terminal. [13] Once the information is stolen, it is encrypted and sent to cybercriminal's Control and Command Server (C&C). [14]

Multigrain Malware

This new variant of pos malware or point of sale malware was discovered by FireEye. [15] It follows new advanced technique to steal retail customer's card information with the help of Lunh Algorithm. [16] To exfiltrate the stolen information it first block http and ftp traffic that monitors the data exfiltration. It belongs to the family of NewPosThings malware. [17]

CenterPOS Malware

CenterPOS is a POS (Point of Sale) Malware that been found in the year 2015 of September along with the other malicious malware such as BlackPOS, NewPOSThings and Alina Malware by FireEye Experts. [18] It scrapes the stolen credit and debit card and sends the data HTTP POST request with the help of Triple DES encryption.

MalumPOS Malware

MalumPOS is a point of sale malware that records point of sale's data which is running in an Oracle MICROS payment system and has breached 333,000 data's all over the world. It uses Delphi programming language for stealing the credit and debit card details. The stolen data is then sent to the cyber criminal or sold in the black market.

See also

Related Research Articles

<span class="mw-page-title-main">Point of sale</span> Time and place where a retail transaction is completed

The point of sale (POS) or point of purchase (POP) is the time and place at which a retail transaction is completed. At the point of sale, the merchant calculates the amount owed by the customer, indicates that amount, may prepare an invoice for the customer, and indicates the options for the customer to make payment. It is also the point at which a customer makes a payment to the merchant in exchange for goods or after provision of a service. After receiving payment, the merchant may issue a receipt, as proof of transaction, which is usually printed but can also be dispensed with or sent electronically.

<span class="mw-page-title-main">EMV</span> Smart payment card standard

EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for "Europay, Mastercard, and Visa", the three companies that created the standard.

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Form grabbing is a form of malware that works by retrieving authorization and log-in credentials from a web data form before it is passed over the Internet to a secure server. This allows the malware to avoid HTTPS encryption. This method is more effective than keylogger software because it will acquire the user’s credentials even if they are input using virtual keyboard, auto-fill, or copy and paste. It can then sort the information based on its variable names, such as email, account name, and password. Additionally, the form grabber will log the URL and title of the website the data was gathered from.

Dexter is a computer virus or point of sale (PoS) malware which infects computers running Microsoft Windows and was discovered by IT security firm Seculert, in December 2012. It infects PoS systems worldwide and steals sensitive information such as credit and debit card information.

I Love Velvet is a global provider of hardware and software for mobile point of sale (mPOS) transactions and value-added retail services. I Love Velvet manufactures and sells merchant-operated, consumer-facing and self-service mPOS systems to the entertainment, retail, hospitality, and automotive industries.

PoSeidon is a name for a family of malicious computer programs targeting computerized Point-of-Sale systems.

Memory-scraping malware or RAM Scrapping malware is a malware that scans the memory of digital devices, notably point-of-sale (POS) systems, to collect sensitive personal information, such as credit card numbers and personal identification numbers (PIN) for the purpose of exploitation.

Backoff is a kind of malware that targets point of sale (POS) systems. It is used to steal credit card data from point of sale machines at retail stores. Cybercriminals use Backoff to gather data from credit cards. It is installed via remote desktop type applications where POS systems are configured. It belongs to the POS malware family as it is known to scrape the memory of POS devices.

BlackPOS, also known as Kaptoxa, is a point-of-sale malware program designed to be installed in a point of sale (POS) system to scrape data from debit and credit cards. BlackPOS was used in the Target Corporation data breach of 2013.

Alina is a Point of Sale Malware or POS RAM Scraper that is used by cybercriminals to scrape credit card and debit card information from the point of sale system. It first started to scrape information in late 2012. It resembles JackPOS Malware.

FastPOS is a variant of POS malware discovered by Trend Micro researchers. The new POS malware foregrounds on how speed the credit card data is stolen and sent back to the hackers.

PunkeyPOS is a new type of Point of Sale Malware which was discovered by PandaLabs in 2016. This new Point of Sale Malware infects the Point of Sale(POS) Systems with two types of malware applications - keylogger and RAM Scraper. PunkeyPOS gets installed into the computer automatically without the knowledge of the user, in a similar manner as other POS malware.

A new sophisticated point-of-sale or memory-scraping malware called "Multigrain" was discovered on April 17, 2016 by the FireEye Inc. security company. Multigrain malware comes under the family of NewposThings Malware. This malware is similar to the NewposThings, FrameworkPOS and BernhardPOS malware which were known previously as notorious malware.

CenterPOS is a point of sale (POS) malware discovered Cyber Security Experts. It was discovered in September 2015 along with other kinds of POS malware, such as NewPOSThings, BlackPOS, and Alina. There are two versions which have been released by the developer responsible: version 1.7 and version 2.0. CenterPOS 2.0 has similar functionality to CenterPOS version 1.7. The 2.0 variant of CenterPOS malware added some more effective features, such as the addition of a configuration file for storing information in its command and control server.

Malumpos is a point of sale malware that are designed to steal or scrape customer’s credit and debit card detail from point of sale system. These are designed in a way that it records point of sale’s data which is running in an Oracle MICROS payment system of the restaurant. The collected data has been used in 333,000 customer sites around the world. Malumpos Malware targets hotels and other US businesses and put the retail customers at risk. This POS RAM Scraper is written in the Delphi programming language. Malumpos monitors, processes, scrapes the stolen data of the infected POS system and the RAM. First it stores the stolen credit or debit card details of the customer from the infected point of sale system once it is swiped. Then it sends the data to the cybercriminal to empty the customer bank balance or the details are sold to the black market.

Kasidet POS Malware is a variant of Point of Sale (POS) Malware that performs DDoS attacks using Namecoin's Dot-Bit service to scrape payment card details. It is also known as Trojan.MWZLesson or Neutrino and was found in September 2015 by cyber security experts. It is a combination of BackDoor.Neutrino.50 and the POS malware.

Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. With over 690 million internet subscribers and growing, India has increasingly seen a rise in data breaches both in the private and public sector. This is a list of some of the biggest data breaches in the country. This was reported stealing over 500 Million credit cards.

References

  1. Orla (Nov 25, 2015). "Demystifying Point of Sale Malware and Attacks". Symantec.
  2. "The continuing threat of POS malware". Trend Micro. May 1, 2017.
  3. "Malware Targeting Point of Sale Systems". Alert. U.S. CERT. Jan 2, 2014. TA14-002A.
  4. "What is POS Malware? - Point of Sale Malware Definition and FAQ". Comodo. Retrieved Nov 4, 2016.
  5. Rdasrv POS RAM Scraper Malware
  6. Constantin, Lucian (18 December 2014). "Point-of-sale malware creators still in business with Spark" . Retrieved 4 November 2016.
  7. "vSkimmer botnet targets card payment terminals". Info Security. 25 March 2013.
  8. "Researchers find new point-of-sale malware called BlackPOS" . Retrieved 4 November 2016.
  9. "FastPOS malware instantly delivers stolen credit card data". 3 June 2016. Retrieved 4 November 2016.
  10. "FastPOS: Quick and Easy Credit Card Theft - TrendLabs Security Intelligence Blog". 2 June 2016. Retrieved 4 November 2016.
  11. "FastPOS Malware Breaches and Delivers Credit Card Data Instantly" . Retrieved 4 November 2016.
  12. "News Alert! PandaLabs Discovers New POS Malware". 23 June 2016. Retrieved 4 November 2016.
  13. PunkeyPOS Malware
  14. "New Episode of Punkey PoS Malware Airs" . Retrieved 4 November 2016.
  15. "MULTIGRAIN – Point of Sale Attackers Make an Unhealthy Addition to the Pantry « Threat Research Blog" . Retrieved 4 November 2016.
  16. "New Multigrain Malware steals Point of Sale Data Over DNS" . Retrieved 4 November 2016.
  17. Constantin, Lucian (20 April 2016). "New point-of-sale malware Multigrain steals card data over DNS" . Retrieved 4 November 2016.
  18. https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html CENTERPOS: AN EVOLVING POS THREAT
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.