Point-of-sale malware is the cause of most retailer data breaches, according to the PCI Council, and it’s getting ever sneakier to avoid detection as it steals payment card numbers on the fly. Two new examples of their stealthy techniques were unearthed by security researchers last week, according to SC Magazine.
Unlike most POS malware, both of the new families — dubbed LogPOS and PwnPOS — use one component to find card data and another to send it to the cyberthieves.
Cincinnati-based security company Morphick reported a POS malware family it called LogPOS that uses a Windows programming feature called mailslots, which are designed to let programs communicate with each other without having to store data in files.
The malware injects code into several processes, forcing them to search different sections of the POS system’s memory, Morphick researcher Nick Hoffman wrote.
“In this case, the main executable creates the mailslot and acts as the mailslot server, while the code injected into the various processes acts as a client, writing carved credit card numbers to the mailslot for direct transmission” to a remote server, he told SC Magazine, adding that the mailslot capability helps the malware to avoid traditional means of detection, such as scanning files for unencrypted payment card data.
Meanwhile, Trend Micro has identified PwnPOS, which also has two separate components but uses a simpler approach. The module that scrapes memory hunting for likely payment card numbers is consistent in all members of the malware family, according to threat analyst Jay Yaneza. The card numbers are written to a log file, and the memory scraper is capable of periodically uninstalling itself as an active process, which makes it more difficult for antivirus tools to spot.
But Yaneza wrote that he has seen at least two different modules for sending the data back to thieves, which uses a common email-sending protocol, SMTP, to send card data to at least two different email addresses.
Part of PwnPOS’s advantage is its simplicity, which is also its weakness — it has a much harder time successfully running on 64-bit Windows systems. However, “a good majority of POS terminals are still running on Windows XP and there is no pressing need for 64-bit operating system installations in these kinds of systems,” Yaneza wrote.