Known PoS Malware Variants
The below list is not exhaustive and is meant to provide an overview of the most prevalent PoS malware impacting US victims. This page is updated regularly with new information.
What is PoS malware?
PoS malware is malicious software designed to steal credit and debit card data from payment processing systems, known as point-of-sale (PoS) terminals.
What data does PoS malware steal?
PoS malware targets consumers’ personal and financial data stored on one of up to three ‘tracks’ on the magnetic strip located on the back of a payment card. The majority of payment cards in the U.S. contain two tracks of data used by financial institutions to store a customer’s information; some cards contain a third track.
- Track 1: stores 79 alphanumeric characters containing the customer’s name, primary account number, card expiration date, and card verification value (CVV) code, along with additional characters to differentiate between data fields and identify endpoints.
- Track 2: stores 40 numeric characters and contains nearly the same information as the first track, except for the customer’s name.
- Track 3: is not standardized among banks and therefore rarely used. If present, however, it may include an encrypted Personal Identification Number (PIN), country code, and currency units.
When a payment card is swiped through a PoS system, unencrypted payment data from Track 1 and Track 2 of the card are briefly stored in the system’s Random Access Memory (RAM) for authorization and processing before being encrypted for transmission and storage in the company’s payment server. Although the payment card industry has uniformly adopted a strict set of data security standards which require end-to-end encryption of payment information, the RAM remains the one vulnerable location where PoS malware can exploit unencrypted payment information.
How does PoS malware work?
Infection: The malware is introduced onto the targeted system or network.
Execution: The malware then scans and monitors processes to find data, creates or modifies registry entries to maintain persistence, and may even introduce additional elements such as keylogger malware or bot functionality.
Collection: PoS malware uses RAM ‘scrapers’ to evaluate the clear-text RAM data by using regular expressions (regex) or the Luhn Algorithm to differentiate between Track 1 and Track 2 data versus other types of data.
Extraction: The malware then extracts the payment card data and transmits it back to the hackers via a command and control (C2) server.
Profit: That information can then be used to create fraudulent cards for physical use at retail stores and automated teller machines (ATMs), to make online purchases, or to sell for profit on black-market websites or forums.
How to prevent PoS malware infections?
General Network and PoS Security
- Implement all recommended vendor patches and test to ensure the patch is successfully integrated. Refer to this best practices guide from Microsoft before implementing patches.
- Enforce up-to-date AV signatures, but do not only rely on AV signatures alone; criminals often customize PoS malware in order to bypass the targeted network’s AV solution.
- Monitor firewalls for outbound traffic to unknown or suspicious IP addresses and domains.
- Mandate regular password changes, especially immediately before and after the holiday season, and enforce complex password rules for all network and remote access users.
- Implement multi-factor authentication wherever possible, especially for remote access applications and employees who manage customer data.
- Lock user accounts after multiple failed login attempts
- Implement malware detection software to identify anomalous and suspicious patterns of behavior.
- Implement software to detect key-loggers on PoS terminals.
- If possible, deploy a host-based intrusion prevention system (HIPS).
On the Network
- Ensure that your PoS systems have a firewall or proxy installed for protection.
- Deploy an appropriately configured intrusion prevention system (IPS).
- Employ proper network segmentation, such that PoS systems operate on a separate, protected subnet.
- All VPN access should be performed through the IPS and must use up-to-date authentication mechanisms.
- Segregate your PoS system from other network functions such as email and non-PoS related applications. If the PoS is attached to enterprise resource planning (ERP), inventory, or finance systems, use application gateways to ensure the PoS functionality is logically protected.
- Confirm what data is at rest on PoS terminals and deploy endpoint encryption for those devices.
- Encrypting Card and PIN information before going into the payment terminal memory has been an effective technique to safeguard the payment data. There are several vendors who provide this technology.
- Some retailers have elected to replace in store payment terminals with new technology to encrypt card account numbers and other track data as it is swiped in the mag stripe reader or read by the chip reader.
- If the PoS is processed by software operating on a single terminal, consider not allowing that terminal Internet access, or restricting its internet access to only those destinations required for PoS functions (such as payment gateways).
- Do not use PoS terminals or other computers with access to PoS systems for Internet surfing, checking email, or accessing social media.
- Consider requiring two or more employees to approve any updates of the payment processing applications and, if possible, filter updates to terminals through a controlled server on the network.
- Ensure that there are no active USB ports or other media drives open on a PoS terminal. If running a Windows OS, ensure that auto-run is disabled to protect against insider threats.
- Inform employees to be on the lookout for skimmers, USB sticks, or other devices connected to PoS systems.
- Check all PoS systems, including card swipe equipment, for connected devices on a daily basis.
- Keep a detailed log of employees, vendors, and 3rd parties who access PoS terminals and servers.
- Enforce a strict application whitelisting policy.
- Log and configure alerts triggered by any changes made to that whitelisting policy.
- Record and change default settings of any PoS hardware and software, including default passwords.
- Perform Open Web Application Security Project (OWASP) audits on any web applications.
- Test databases and web login portals against brute force password attacks and SQL injections.
- Secure webservers that contain customer data, including payment gateways and e-commerce applications.
- Ensure that no unauthorized code has been introduced to the production environment.
- Run regular vulnerability scan against your approved applications and patch vulnerable software immediately.
- Re-run vulnerability scans whenever new or updated applications are introduced.
Remote Access Controls
- Segregate the payment processing systems from remote access applications when possible
- Restrict the network resources remote access users can access.
- Monitor remote user accounts for login abnormalities such as frequent failed login attempts, logins during non-normal working hours, and abnormal duration of logon.
- Enable and regularly review host-based security logs.
- Disable unused ports and services especially those that support remote access such as remote desktop protocol (RDP) and virtual network computing (VNC).
Third Party Vendors
- Conduct information security and risk assessments of all third party vendors with access to your network.
- Do not allow vendors to remote access your network with outdated and unsecure operating systems.
- Maintain an accurate list of third parties with remote access or physical access to the network perimeter.
- Require vendors to use multi-factor authentication (MFA) for remote access when possible. If MFA is not available, disable remote access except when specifically requested and scheduled by the vendor.
- Establish baselines for all 3rd party vendor network activity, including remote access and logins.
- Monitor 3rd party vendor activity for anomalous behavior such as frequent failed login attempts, logins during non-normal working hours, and abnormal duration of logon.
- Evaluate and limit third party network access privileges. For example, whitelist third party network addresses on a firewall provisioned to control remote access by third parties.
- Segment the network if possible through the use of secured VPNs with managed access control.
If you or your organization is the victim of PoS Malware, please contact a Cyber Liaison Officer at firstname.lastname@example.org.