London Calling
Malicious Malware Could Grab Your Christmas Cash

Malicious Malware Could Grab Your Christmas Cash

So what are the most dangerous PoS hacking systems? (Image courtesy of Thinkstock)

One of the most financially successful and prevalent cyber crimes involves the hacking of retail point-of-sale (PoS). It thus requires systems as well as major stores and retail outlets to shore up their defenses against such attacks to maintain customer confidence. For instance, malware can worm its way into Track 1 and 2 data held in the magnetic strip on credit cards. So what are the most dangerous PoS hacking systems? Brandon Tansey, security researcher at Lancope, lists these top ten bad boys:


This PoS malware searches for Track 1 and 2 data in specific, hardcoded PoS process names. It cannot exfiltrate data automatically—it only writes information to disk.

Another Track 1 and 2 infiltrator, it doesn’t have a specific list of target processes. Alina skips through memory for programs that may have large amounts of memory and a low chance of containing card information, like web browsers. It’s able to automatically exfiltrate information over the network.


This malware is distributed as a customizable kit. That means those who purchase it can automatically generate malware using their own configuration options. These generated samples, which search for Track 2 data, use a process blacklist containing the names of certain windows processes unlikely to contain credit-card information. It’s also has the ability to download and execute other applications at the command of its controller. VSkimmer supports automatic exfiltration over the network and can dump stored credit-card information to a thumb drive with a pre-determined name.

In addition to simply looking for Track 1 and 2 credit-card information, Dexter has a key-logging component to capture keystrokes and other input. It maintains a process blacklist similar to VSkimmer. Furthermore, Dexter can automatically exfiltrate data over the network, and receive commands to download and execute other files or remove itself.

Some versions of this aptly named malware are capable of exploiting user-input search criteria, which makes the malware easy to repurpose. BlackPOS has also been spotted attempting to brute-force RDP logins of other hosts. It can perform multiple types of network-based exfiltration, including email and ftp sites. Because the source code of BlackPOS was leaked, anyone who obtains the code can modify/recreate it.

This malware searches for credit-card information. It attempts to avoid analysis environments like sandboxes and debuggers. Decebal can use the network for exfiltration, where it also exfiltrates the names of installed anti-virus products to its controllers. It’s been observed being distributed via drive-by-download. Like BlackPOS, Decebal source code was leaked.

JackPOS is PoS malware that searches for both Track 1 and 2 information. Like other families, JackPOS also maintains a blacklist of process names and exfiltrates data over the network.

On top of searching non-blacklisted process memory for credit-card information, Soraya injects itself into processes to capture data transmitted in Web requests. It exfiltrates captured credit-card information as well as Web requests over the network. Soraya uses packing to obfuscate its executable file, making analysis more difficult.

This PoS malware family is notable for its use of Tor hidden services to exfiltrate data. In addition to searching for Track 1 and 2 data, ChewBacca has a key-logging component.

As the name implies, this malware uses brute-force attacks to compromise additional systems. It targets known PoS software process names for scanning.

Backoff hunts for Track 1 and 2 data by scanning the memory of processes that are not blacklisted. Like Soraya, it uses custom obfuscation in an attempt to make analysis more difficult. Furthermore, it’s capable of downloading and executing additional files. Like BlackPOS and BrutPOS, distribution of Backoff has been observed, typically by exposed PoS systems with weak RDP credentials.

In addition to those hacks, another recently announced cyber threat promises to be even more insidious—it can attack a wide variety of mobile networks. Called “Inceptions,” it not only infiltrates your smartphone, but it has the ability to stay hidden and hide its origins path.

So, given the prevalence of malware bombs that could seriously damage your credit card, it may be prudent to consider cash purchases to make sure Santa's deliveries make it down the family chimney this Christmas.


TAGS: Blogs
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.