Point-of-Sale malware attacks – crooks expand their reach, no business too small


Numaan Huq and Richard Wang of SophosLabs have been keeping track of the evolution of Point-of-Sale malware.

We’ve recently been tracking a set of incidents involving malware attacking Point-of-Sale (PoS) equipment.

Your personally identifiable information (PII) flows into PoS devices, across PoS networks, and is processed by PoS servers, every time you pay for things without using cash.

As a result, PoS equipment and the local-area networks to support it are found all over the world, in both developed and developing countries.

When was the last time you tried to pay for a hotel stay in cash, for example?

Even if you settled the bill with cash, you probably swiped or waved a payment card when you checked in, just to avoid having to lay down a large cash deposit.

As a result, PoS systems are a lucrative target for crooks.

So it’s not surprising that we’ve written about this particular malware family, Troj/Trackr-Gen, and its thirst for credit card data before.

It seems the criminals behind it have added a few new tricks in the last 15 months.

The most interesting development is that some versions now include the ability to exfiltrate data directly rather than just dumping it to disk.

→ The Payment Card Industry has a set of Data Security Standards, known unsurprisingly as PCI-DSS. The standards specify, amongst other things, that credit card data must in general be encrypted if it is stored, and that some data, such as CVV numbers, mustn’t be stored at all once a transaction is complete. Ironically, the crooks have learned from this, and are avoiding reading from or writing to disk themselves.

Another change is found when examining some of the targets.

As before, the criminals are avoiding very large businesses but in addition to the commonly attacked hospitality industry and hotel targets there are smaller victims, including a single car dealership in Australia.

A couple of cosmetic changes have also been made.

There is a new generator for random filenames, creating completely random five-character names such as IXWIG.exe and KPAOE.exe.

For variants using hardcoded names the common use of rdasrv.exe has been extended to include filename options designed to hide in plain sight such as windowsfirewall.exe or msupdate.exe.

It seems that no victim is too small for Point-of-Sale malware.

The popularity of terms like “Advanced Persistent Threat” and “state-level malware actors” may make it sound as though only the biggest multinationals and parastatals are at risk these days.

But stealing $75 each from 1,000,000 people gives the same financial result as stealing $75 million from a megacorporation.

So you simply cannot assume that your business or organization is not a big enough target to worry about web attacks or targeted malware.

Remember this: there is no radar below which you can fly.

As a final thought, since we already know the how and the why of this latest round of PoS attacks, we invite you to consider the where.

There’s an intriguing hint buried in the code:

We don’t know if that’s where the crooks are from, or if it’s where they’ve been most successful in infiltrating PoS networks (Botswana, home to the astonishing inland Okavango Delta, has a strong hospitality industry), or perhaps just where they spent some of their ill-gotten gains on a vacation.

Do you run a small business that relies on PoS equipment?

If so, how much of a challenge are you finding it to stay ahead of crooks like this?

Have your say in the comments…

Image of PoS machine courtesy of Shutterstock.