Site   Web

December 27, 2016

The POS Malware Threat: All You Need to Know

Criminal behavior is hardly a new concept, and just as reliable as death and taxes. Criminals are finding new ways to steal things with every social and technical advancement society makes. In our information-driven, computer-based world, the outlaws are using computers and systems to rob the train in a new version of an old story. We call this new version cyber-crime.

Cyber-crime is manipulation of computers and networked systems to enable criminal behavior. Often the goal is the theft of information for financial gain, but sometimes the plan is sabotage, or redirecting users forcibly to a particular website that sells software or goods and services. As many ways as we choose to engage with information technology, there are at least as many ways to cheat, steal and deceive the users of that technology. Attacks on systems that hold information, sabotage of websites that provide information and services, and breaches of secure communications are all becoming more common.

One of the most potentially profitable areas for criminals is in breaching point-of-sale, or POS, software. With so much to gain, skilled hackers can attack the POS system of a business on a very large scale, compromising credit cards and stealing identity information from thousands of users at once, while using the network connections of the system itself to export, or exfiltrate, the stolen information.

The POS Malware Threat

The threat to eCommerce that is posed by POS attacks strikes at the heart of online business: trust in the process and in the company that offers it. For this reason, the Payment Card Industry Security Standards Council (PCISCC) has published data security standards for any organization that handles credit, debit and ATM transactions, or supporting organizations which store, transfer, or process cardholder information. This sensitive information is captured by hackers to commit credit card fraud and identity theft. A POS breach exposes customers to financial harm and merchants to damage of their reputation, loss of business and recovery costs. PCI DDS (Data Security Standard) requirements enforce encryption of card data whenever this data is transmitted or stored.

POS malware is as dangerous because it is designed to steal sensitive information stored in the magnetic stripe of a credit or debit card – information that is particularly vulnerable because the information is unencrypted for a brief time immediately after collection and before the system has an opportunity to encrypt it. POS malware, therefore, usually exploits a network connection at this vulnerable point to collect the information directly out of memory in a process known as “RAM scraping.” It is extremely difficult to secure the system at this point, in part because of its location in the network, in part because of its role in collecting important information and, finally, due to the reliance on the care and caution of human operators. An unhappy employee or an expert social engineer can gain initial access in a very low-tech way.

Small businesses often transmit over cellular data networks, which are particularly vulnerable, but large businesses are vulnerable in a different way. Though they usually have their own back-end systems to transmit data, these systems are vulnerable to trojans and other malware that can be deployed on a network, expanded laterally and manipulated to be persistent – that is, to reinstall itself if it is detected and removed. Moreover, if the malware has taken control of the network management software, it can become very good at evading detection for quite some time – enough time to steal a great deal of information.

Adding to the vulnerability, many POS terminals use a version of Microsoft Windows, which is very susceptible to attack, making it a minor matter for attackers to gain access to the terminal, bypass security and develop targeted malware for the system.

In addition, devices have been found in many areas of the Internet of Things that are sold already infected with malware. Several years ago, TrendMicro reported on the appearance of fake POS machines that would skim the card information before refusing the transaction. Users of POS software must exercise great diligence in choosing and protecting their point of sale system.

POS Malware Families

Security groups have identified a number of POS malware families. POS malware is described in ‘families,’ because each contains a number of variants. A brief description of some of the most active families follows.

ALINA: The Alina malware family, also known as “Trackr”, is one of the most basic types of POS malware. It scans the system’s memory, checking to see the existence of valid card information. Once stolen, the data are sent to command-and-control (C&C) servers using a simple HTTP POST command. Alina uses its own C&C structure, encrypts the data it exfiltrates, and shuts down Windows processes so it can operate without interference.

vSkimmer: The vSkimmer malware family can be found prebuilt and readily available online. It created a lot of buzz on its first appearance because of the ease of deployment: vSkimmer can be installed through a USB thumb drive, as malware attached to an email message, through a website, or using similar simple methods. Once installed, vSkimmer collects information on the POS system itself, such as the operating system and version, hostname, and various other critical characteristics and uses that information to tune the software to the system. Interestingly, vSkimmer does not need the POS system to be connected to the Internet in order to run. If it is connected, vSkimmer will use that connection, but if it is not, the information is stored until someone connects a USB device with a particular name, and then it copies the stolen information onto the USB device, so it can later be uploaded to the hacker’s own C&C server.

Dexter: Dexter is a POS malware family whose activities are not limited to stealing card information; it also identifies and records system information. In addition, it installs a keylogger to capture all keystrokes – often a way to trap passwords and other credentials. Dexter malware has several versions: Star Dust, Millennium, and Revelation, each more sophisticated than the previous version. Dexter malware can be embedded in files stored on Windows servers and deploys from there. Later versions also can exfiltrate using FTP, which allows a larger data export to a single location.

FYSNA/Chewbacca: The FYSNA/Chewbacca malware family is a basic type of POS malware, but it added a new challenge by utilizing the Tor anonymity network to secure its C&C operations, making the detection of a breach and subsequent investigation more difficult.

Decebel: The Decebel malware family added an elaborate evasion mechanism to its malware. Decebel checks for the presence of analysis tools before running, so it will not run if detection and analysis are easily executed. This allows the attack more time to function before the scheme is detected and removed. Like a lot of other POS malware, Decebel uses HTTP POST to upload stolen data to its C&C server.

BlackPOS: BlackPOS is the most well known POS malware family, and it is easily obtained, as its source code has already been posted online. BlackPOS has a number of variants with additional sophistication: for instance, one variant only performs its activities in business hours between 10 a.m. and 5 p.m. BlackPOS, like Dexter, uses FTP to upload information to the attacker’s server. In both cases, the consolidation of stolen data allows attackers more manipulative control over the information.

PoSeidon: In 2014, experts at Cisco discovered a new family of POS malware called PoSeidon. It is highly sophisticated in its methods for identifying and stealing card data. According to Cisco, “PoSeidon was professionally written to be quick and evasive with new capabilities not seen in other PoS malware. It can communicate directly with C&C servers, self-update to execute new code and has self-protection mechanisms guarding against reverse engineering.” (Cisco statement to Security Week, March 21, 2015) It can also verify the validity of card numbers, allowing it to avoid raising suspicions by using an invalid card number. It contains a loader to ensure persistence on the infected system, and uses a keylogger to scan the input to identify card numbers. PoSeidon encrypts its exfiltrated data using XOR cipher encryption and base64 encoding.

NewPosThings: Another 2014 discovery was NewPosThings, which implements a refined RAM scraping process. The malware includes a custom packer and new anti-debugging mechanisms, and a module specifically to harvest user input. When it installs, it uses familiar-looking names to minimize suspicion, such as java.exe, vchost.exe, dwm.exe, and so on. It also uses a normal-looking registry entry with the name “Java Update Manager” to establish persistence on the infected machine, where it proceeds to collect sensitive data, including passwords, while disabling system warnings.

Other POS malware found in 2014 included Soraya, which implements RAM scraping and web forms grabbing.

In 2015, still more POS malware were found, including a new Alina variant, and new malware by the names of LogPOS, FighterPOS, and Punkey.

Targeting a Server

Attacks at the server level can involve misuse of any management system used to monitor or maintain an organization’s POS systems. Any system that controls or allows access to POS systems is a potential vulnerability. Access to servers can be achieved using network-level hacking, in which shared connections between systems can be exploited – for instance, if the Wi-Fi hotspot provided to customers shares a connection with the POS system. Hackers affected a large number of U.S. merchants in 2009-2011, were using the malware scan ports in the system and identified those, which were running remote-access software. The hackers then knew which ports to attack.

Even if the POS system is using a closed Wi-Fi network, attackers might be able to crack its passphrase, either through sophisticated trojans, or by using brute force. Attackers also might search until they find an open port on a switch and add their own Wi-Fi access point there.

The goal of network infiltration is to reach a server. Device- and network-level attacks are inherently limited to a single POS system or even a network of POS systems in a single location, but a successful server breach, depending on the architecture, could possibly expose all POS systems in all of a retailer’s locations.

In order to reach a server, attackers need to learn the available software on the server as well as have the means to exploit it.

Typically, the first overture will be a socially engineered message, usually an e-mail that encourages the target to click a link or open a file. If the target is tricked into doing so, then the payload can be delivered in the form of a piece of malware that executes on the target’s computer. From there, the attackers can leverage that foothold to take control of the compromised computer, install keyloggers and remote access applications, and download additional software that hides the malware, establishes persistence, and creates a launch site for the full attack.

The attackers – perhaps through the malware itself – use tools that allow them to execute shell commands that broaden their access, evaluate existing data and network architecture, and assess protection mechanisms. In the process, the attackers might collect additional information that will help them plan future attacks, customize malware, and plan the exfiltration. They will continue to elevate their access privileges until they are able to infiltrate their ultimate target: the POS systems.


The number and sophistication of attacks are growing as are the varieties of POS malware, and merchants cannot afford to be out of compliance with the PCI DDS. Many excellent security measures in the DDS can mitigate the POS malware threat:

• Only necessary traffic should be allowed through the firewall.

• Only allow connectivity from the card terminal or POS appliance to the processor, and nowhere else.

• Install anti-virus and anti-malware software on all POS devices.

• Keep security patches current.

• Enforce network logging to identify anomalies.

In addition, following some basic security precautions can help a great deal:

• Do not allow USB devices to be connected to the server that hosts your POS system.

• Train your staff on POS malware threats.

• Lock your POS servers up in a secure location with limited access.

With proper security and employee training, it would be much harder for attackers to succeed in blowing up the safe environment. Many security holes occur because of noncompliance, and following some basic security measures and ensuring compliance with the PCI DDS will go a long way toward preventing POS malware from infiltrating your system.


With proven and extensive experience in digital marketing, Gunjan Tripathi has been responsible for the online presence of CheapSSLShop. Due to involvement in Security Company, Gunjan has the vast knowledge of cyber-security, threats, malware, etc. along with digital marketing, social media optimization, and ORM (online reputation management).