Point of sale malware is not new. Cybercriminals have been using point of sale malware to steal credit card numbers from consumers for many years. Unfortunately for retailers, the threat of POS malware is growing. Highly sophisticated malware is being developed and used to obtain a wealth of information from retailers about their customers. That information is being used to commit identity theft and fraud. POS malware is also being used to obtain corporate data.

Point of Sale Malware – The biggest data security threat for retailers

Retailers are at risk of having point of malware installed throughout the year, but in the run up to Christmas the threat is greatest. It is the busiest time of year for shopping and hackers and other cybercriminals step up efforts to get their malware installed. Hackers are hoping for another big payoff before the year is out, and they are likely to get it.

Over the Thanksgiving weekend, some of the most sophisticated malware ever seen was discovered. In some cases, the point of sale malware had been blocked. Many retailers were not so lucky. Unfortunately, identifying malware once it has been installed can be incredibly difficult, especially with the latest ModPOS malware. It is already responsible for providing millions of credit card numbers to hackers, and has caused millions of dollars of damage. The full extent of the infection is not yet known due to the stealthy nature of this new malware.

ModPOS – The most worrying point of sale malware to be seen to date

The new malware has been named ModPOS – short for Modular Point of Sale malware – and it is particularly dangerous, stealthy, and fiendishly difficult to identify once installed. Security experts have been surprised at the level of sophistication. An incredible amount of skill was required to produce malware as complex as ModPOS. It shows the level that criminals will go in order to obtain data and avoid detection.

The malware has been developed to make it exceptionally difficult to identify, and it has clearly been designed with persistence in mind. Once installed, it can perform a wide range of functions; not only serving as a keylogger and card reader, but also a tool for network reconnaissance. It is not just large U.S. retailers that will be affected. This point of sale malware may be used to infect multiple targets. If protections are not put in place to prevent infection, the potential for damage is considerable.

Security analysts first saw elements of this POS malware three years ago, but it has been subsequently developed further. It is difficult to even estimate the extent of infection due to the nature of the malware. The level of obfuscation is impressive.

It has taken some of the world’s leading cybersecurity analysts a considerable amount of time to identify this point of sale malware, and even longer to reverse engineer it. It is, to put it simply, the most complex and sophisticated point of sale malware ever discovered. iSight Partners’ senior director Steve Ward has been reported as saying it is “POS malware on steroids.” ModPOS is the result of an extraordinary amount of time, money, and development. Every aspect of the malware has been painstakingly developed to avoid detection. Every kernel driver is effectively a rootkit.

Investment by criminals in this malware is unprecedented but, then again, the rewards for that investment are likely to be as well. If a major retailer is infected, and many will be, every one of their customers’ data could potentially be obtained. The potential gains for investors in the development of this malware are likely to be off the chart.

Highly functional malware that reads cards, steals corporate data, and much more

The malware can act as a keylogger, recording all data entered by employees. It will serve as a card scraper and will read the credit and debit card details of every customer who pays via point of sale systems. The malware will simply read the card details from the memory. Even EMV terminals may not offer protection.

Data are exfiltrated to hackers’ command and control centers, but it is not even clear what data are being transmitted. The malware encrypts each transmission twice, with 128 bit and 256-bit encryption. As if that wasn’t enough, the data of each customer require a different security key to decrypt them.

The shell code used is virtually a full program in itself. According to one iSight security expert, the shell code contained approximately 600 different functions. And that is just one piece. There are many more than one in this malware. All of the different modules operate in kernel mode, making them exceptionally difficult to identify. Furthermore, the malware is not being sold via darknet marketplaces. It is being kept secret and used by the criminal gang that paid for its development. The gang behind ModPOS has effectively paid for a license to print money.

The methods being used to distribute this point of sale malware are not known, and there is no fix for the threat actor. At the present time, there is a high risk of infection, and no single defense mechanism that can be employed to prevent an attack. So far, approximately 80 major retailers have been warned to be on high alert.

Reducing the risk of point of sale malware infections

Since the threat actor is not known, retailers and other organizations should be ultra-cautious and supplement their defenses to prevent attacks from being successful. Additional measures to enhance security include:

Conversion to EMV terminals – If data is not encrypted it can be read by the malware. The memory must also be encrypted, not only stored data.

Protect all systems, not just POS – The malware contains many modules, and its full capabilities are not fully known. It is not just credit card details that are at risk. All corporate data must be protected.

Implement email filtering solutions – The malware may be delivered via spam and bulk email. Infected attachments and phishing links may be used. It is essential that robust anti-spam solutions are implemented to prevent infection.

Web filtering is essential – The executable file responsible for installing the malware must not be downloaded to any device. Blocking known malware websites and potentially malicious website adverts will help to reduce the risk of ModPOS attacks.

Instruct staff to be highly vigilant – Regardless of the software systems used to improve security defenses, employees will always be a weak link. Staff should be trained and warned to be ultra-cautious, and instructed how to spot potentially malicious emails, websites, and phishing campaigns.