Point of Sale (POS) malware is a growing field of concern for the retail industry. From the large scale attack on Target in 2014 to smaller attacks that are going unreported. POS malware is an evolving field of study for security researchers.

According to TrendMicro, The earliest POS malware reported was RawPOS, in 2009. This wasn't superseded until 2011 with Rdasrv, which was then followed by, or forked into, a variety of new and ever more vicious pieces of malware. With Kasidet being one of the most recent examples.


So what is a POS device?

POS devices are any endpoint device used to make financial transactions at the point of sale. This may be a cash register, or it may be a card swipe device. While the latter of these are already targeted by card skimmers they're also vulnerable to firmware attacks. This can, in turn, make an unmodified device into a card skimmer. Registers are also vulnerable, as technology has progressed so has register technology. While standards such as PCI-DSS are in place to protect against fraud, they aren't 100% effective, and malware development has added a new and complicated layer.


You mentioned firmware attacks, but how does malware gather data from a POS device?

It depends on the malware, to be honest. The simplest method is to sit resident in memory and run scrapes during transactions. Then you buffer batches of card numbers and when no one's looking you send it to your C&C system along with the PIN. This is a technique used by Alina and its descendants.

Other POS malware systems use the litany of standard malware infiltration tactics, Trojans, (Spear) phishing, and so on. This allows them to either go undetected or to appear as a legitimate program on sensitive systems. Then they sit in the background and gather their information before contacting their C&C.


What's the potential for damage from a POS device compromise?

Bad. After the breach suffered by Target, they were on the hook for $10 million in damages to their customers. The customers also had to take steps in re-securing their personal information. This leaves a bad taste in the customer's mouth and Target did take a knock to their brand for this.

For an idea of the type of fallout that you can expect from a massive breach, you can study not only Target but its contemporary Equifax. While they weren't affected by POS malware, this breach will have heavy implications for the company.


So, how do we protect ourselves?

ThreatSTOP has been focusing on POS malware attacks recently. After a good bit of research, we've added two new target lists to our threat protection. Adding these to your ThreatSTOP DNS or IP Firewall device will block exfiltration data. It will also alert you to the presence of compromised devices, which you can then take offline and remediate.

Enabling the  TS Curated - POS targets in your policies for ThreatSTOP DNS and IP Defense Services protects against POS malware threats. The TS Research – POS targets are also available in Expert mode, and can be added explicitly although they are part of the highly recommended TS Curated – POS targets.

If you do not have a ThreatSTOP account, Sign up for a free trial.

If you do have a ThreatSTOP account, instructions to add targets to a DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub. Or contact our Support team.