Point-of-sale malware (POS malware) is usually a type of malicious software ( malware) that is used by cybercriminals to target point of sale (POS) and

payment terminal A payment terminal, also known as a point of sale (POS) terminal, credit card terminal, EFTPOS terminal (or by the older term as PDQ terminal which stands for "Process Data Quickly"), is a device which interfaces with payment cards to make electro ...

s with the intent to obtain

credit card A credit card is a payment card issued to users (cardholders) to enable the cardholder to pay a merchant for goods and services based on the cardholder's accrued debt (i.e., promise to the card issuer to pay them for the amounts plus the o ...

and

debit card A debit card, also known as a check card or bank card is a payment card that can be used in place of cash to make purchases. The term '' plastic card'' includes the above and as an identity document. These are similar to a credit card, but u ...

information, a card's track 1 or track 2 data and even the CVV code, by various

man-in-the-middle attack In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle, monkey-in-the-middle, meddler-in-the-middle, manipulator-in-the-middle (MITM), person-in-the-middle (PITM) or adversary-in-the-middle (AiTM) ...

s, that is the interception of the processing at the retail checkout point of sale system. The simplest, or most evasive, approach is RAM-scraping, accessing the system's memory and exporting the copied information via a

remote access trojan In computing, the term remote desktop refers to a software- or operating system feature that allows a personal computer's desktop environment to be run remotely off of one system (usually a PC, but the concept applies equally to a server or a ...

(RAT) as this minimizes any software or hardware tampering, potentially leaving no footprints. POS attacks may also include the use of various bits of hardware: dongles, trojan card readers, (wireless) data transmitters and receivers. Being at the gateway of transactions, POS malware enables hackers to process and steal thousands, even millions, of transaction payment data, depending upon the target, the number of devices affected, and how long the attack goes undetected. This is done before or outside of the card information being (usually) encrypted and sent to the payment processor for authorization.

List of POS RAM scraper malware variants

Rdasrv

It was discovered in 2011, and installs itself into the Windows computer as a service called rdasrv.exe. It scans for track 1 and track 2

data using Perl compatible regular expressions which includes the customer card holder's name, account number, expiry date, CVV code and other discretionary information. Once the information gets scraped it is stored into data.txt or currentblock.txt and sent to the hacker.

Alina Alina is a female given name of European origin. It is particularly common in Northern, Central and Eastern Europe. It may be derived from the name Adelina. Alina was one of the top 10 most popular names in Switzerland and one of the top 50 most ...

It was discovered in October 2012 and gets installed into the PC automatically. It gets embedded into the Auto It script and loads the malware into the memory. Then it scrapes credit card (CC) data from POS software.

VSkimmer

Vskimmer scrapes the information from the Windows system by detecting the card readers attached to the reader and then sends the captured data to the cyber criminal or control server.

Dexter

It was discovered in December 2012 to steal system information along with the track 1 and track 2 card details with the help of

keylogger Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...

installed onto the computer.

BlackPOS

It is a

spyware Spyware (a portmanteau for spying software) is software with malicious behaviour that aims to gather information about a person or organization and send it to another entity in a way that harms the user—for example, by violating their priva ...

, created to steal credit and

information from the POS system. BlackPOS gets into the PC with stealth-based methods and steals information to send it to some external server.

Backoff

This

memory-scraping malware Memory-scraping malware or RAM Scrapping malware is a malware that scans the memory of digital devices, notably point-of-sale (POS) systems, to collect sensitive personal information, such as credit card numbers and personal identification numbe ...

tracks Track 2 data to access the card magnetic stripe with the help of magnetic stripe readers and sends data to hacker to clone fake credit cards.

FastPOS

FastPOS Malware is a POS malware that was discovered by

Trend Micro is an American-Japanese multinational cyber security software company with global headquarters in Tokyo, Japan and Irving, Texas, United State.Other regional headquarters and R&D centers are located around East Asia, Southeast Asia, Europe, and ...

researchers. This strikes the point of sale system very fast and snatches the credit and debit card information and sends the data to the cyber criminal instantly. The malware has the capability to exfiltrate the track data using two techniques such as key logger and memory scraper.

PunkeyPOS Malware PunkeyPOS is a new type of Point of Sale Malware which was discovered by PandaLabs in 2016. This new Point of Sale Malware infects the Point of Sale(POS) Systems with two types of malware applications - keylogger and RAM Scraper. PunkeyPOS gets ...

PandaLabs discovered this malware and it infects the point of sale system to breach credit and debit card details. PunkeyPOS Malware uses two functions such as keylogger and RAM Scraper to steal information at Point of Sale Terminal. Once the information is stolen, it is encrypted and sent to cybercriminal's Control and Command Server (C&C).

Multigrain Malware

This new variant of pos malware or point of sale malware was discovered by FireEye. It follows new advanced technique to steal retail customer's card information with the help of Lunh Algorithm. To exfiltrate the stolen information it first block http and ftp traffic that monitors the data exfiltration. It belongs to the family of NewPosThings malware.

CenterPOS Malware CenterPOS (also known as "Cerebrus") is a point of sale (POS) malware discovered Cyber Security Experts. It was discovered in September 2015 along with other kinds of POS malware, such as NewPOSThings, BlackPOS, and Alina. There are two versions ...

CenterPOS is a POS (Point of Sale) Malware that been found in the year 2015 of September along with the other malicious malware such as BlackPOS, NewPOSThings and Alina Malware by FireEye Experts.https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html CENTERPOS: AN EVOLVING POS THREAT It scrapes the stolen credit and debit card and sends the data HTTP POST request with the help of

Triple DES In cryptography, Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The Data Encryption Standa ...

encryption In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...

MalumPOS Malware Malumpos is a point of sale malware that are designed to steal or scrape customer’s credit and debit card detail from point of sale system. These are designed in a way that it records point of sale’s data which is running in an Oracle MICR ...

MalumPOS is a point of sale malware that records point of sale's data which is running in an

Oracle An oracle is a person or agency considered to provide wise and insightful counsel or prophetic predictions, most notably including precognition of the future, inspired by deities. As such, it is a form of divination. Description The word '' ...

MICROS payment system and has breached 333,000 data's all over the world. It uses

Delphi programming language Delphi is a general-purpose programming language and a software product that uses the Delphi dialect of the Object Pascal programming language and provides an integrated development environment (IDE) for rapid application development of desktop, ...

for stealing the credit and debit card details. The stolen data is then sent to the cyber criminal or sold in the black market.

References

{{reflist, 30em Malware Carding (fraud) Retail point of sale systems