GratefulPOS: The Grinch Who Stole Your Payment Data

GratefulPOS, a new point-of-sale (PoS) malware variant, is targeting PoS systems running Microsoft Windows OS versions 7 or later. The malware exfiltrates payment card data via encoded and obfuscated DNS queries that are sent to a hard-coded domain controlled by the threat actor. This DNS exfiltration method effectively bypasses firewalls and circumvents PoS system controls designed to block the system’s access to the internet. The infected PoS system sends the payment card data to an internal DNS server that then passes the data encoded in the DNS queries to the threat actor, eliminating the need for the infected PoS system to have a direct connection to the internet. The NJCCIC recommends all merchants using PoS systems review the RSA report and the NJCCIC profile on GratefulPOS and scan systems and networks for the associated IoCs. Merchants who have not yet upgraded to EMV chip card terminals are highly encouraged to use hardware-enabled point-to-point encryption for the storage and transmission of payment card data. On chip-enabled terminals and readers, disable the magnetic strip reader processes and components, if possible, to reduce the risk of payment data compromise.