Understanding Point of Sale Malware in cyber crime prevention

Where there is money, there are hackers. Since their very existence, credit cards have attracted cybercriminals who have devised arrays of means and ways to steal data on the cards. These fraudsters have shown to nurture a voracious need for Point of Sales (POS) as retailers process uncountable transactions daily through their POS. To reach their end, cybercriminals use Point of Sales malware that helps them obtain credit card and debit card information.

What is Point of Sale malware?

As the term itself implies, Point of Sale malware is a malicious software. It is widely used by fraudsters targeting POS terminals. The malware reads the device memory and the data found on the cards which are generally encrypted and sent for payment authorization is sent, instead, to the cybercriminal in a non-encrypted format. In fact, when a card is swiped at the POS for any transaction, the card data is not encrypted at that very moment. Cybercriminals exploit this security gap.

This tactic was devised because skimming involved having physical access to the POS to install an additional hardware onto the POS terminal, making it difficult for cybercriminals to operate on a large scale. The POS malware addresses this issue and fraudsters can accrue data from millions of cards in a single operation.

The mastermind of the scheme is in prison

Albert Gonzalez, an American hacker and cybercriminal, is considered as being the mastermind of the first operation of this kind orchestrated between 2005 and 2007. It led to the theft of data from 170 million cards, the biggest fraud in history. On 25 March 2010, he was sentenced to 20 years in federal prison.

The stages of operation of cybercriminals explained

Cybercriminals are ingenious at innovating and relentlessly devising new malware. There is a variety of POS malware on sale, illegally of course, and cybercriminals attempt to infiltrate the corporate network first as generally, POS terminals are not connected to the internet but are certainly connected to a corporate network. The next step for them is to use various hacking tools to access the network segment that hosts the POS systems. Once this threshold is crossed, hackers do their best to make themselves as discreet as possible so that their actions go unnoticed. As such, they may scrub log files and tamper with security software to ensure that they can carry on with their attacks and gather maximum data.

Arrays of POS malware are available illegally

Cybercriminals are rapid to devise malware software. There are various variants of malicious software that have been adopted by cybercriminals.


Rdasrv was discovered in 2011. The software installs itself into the Windows computer, bearing the name rdasrv.exe. It has been designed to scan for track 1 and track 2 credit card information such as the cardholder’s name, account number and expiry date. The stolen data is generally stored as data.txt or currentblock.txt and sent back to the fraudster.


Alina was discovered in October 2012 and also gets installed automatically into the PC. It loads the malware into the memory and scrapes the credit card information from the POS software.


VSkimmer detects card readers connected to the reader and scrapes information from the Windows system. The captured data is subsequently sent to the hacker or control server.


Discovered in December 2012, Dexter relies on a keylogger installed onto the PC to steal data along with track 1 and track 2 card details.


BlackPOS is a spyware designed to steal credit and debit data from POS systems. With stealth-based methods, it infiltrates computers, steals the data and sends it to an external server.


Backoff is a memory-scarping malware that tracks Track 2 data to get to the data found on magnetic stripes on cards. The data sent back to the hacker can be cloned to create fake cards.


This POS malware was discovered by Trend Micro researchers. As its name implies, FastPOS is renowned for striking POS systems very fast. Credit and debit card info are snatched and sent to the cybercriminal instantly. This malware equally possesses the capability to exfiltrate the track data by using keylogger and memory scraper.

PunkeyPOS Malware

This malware was discovered by PandaLabs. It has been designed to infect POS systems to steal credit and debit information by using key logger and RAM scraper. The stolen data is sent to the fraudster’s Control and Command Server in an encrypted format.

Multigrain Malware

This newer kind of malware belonging to the family of NewPOSThings malware was discovered by FireEye. It uses advanced techniques to steal data from cards with Lunh Algorithm. For exfiltration of data, it blocks http and ftp traffic.

CenterPOS Malware

CenterPOS Malware was discovered in September 2015 by FireEye together with malware like BlackPOS, NewPOSThings and Alina Malware. It uses Triple DES encryption.

MalumPOS Malware

This POS malware records POS data running in Oracle MICROS payment system and has already breached more than 330,000 data worldwide. Data is stolen through Delphi programming language and is sold in the black market by cybercriminals.


Source: https://www.symantec.com/connect/blogs/demystifying-point-sale-malware-and-attacks

Related articles published in Cardholders Data security :

Image : Shutterstock