Datacap Logo

Extremely complex POS malware identified

 Red Padlock Icon

Now that the holiday shopping season is in full force, some cybersecurity experts are warning of a new – and nearly undetectable – piece of malware that’s potentially infecting point-of-sale systems around the country. The program, dubbed ModPOS, was found by security experts from the firm iSIGHT, and is described as the most complex and secretive virus of its kind.

Nearly undetectable
Engineers working for iSIGHT believe that this malware has been infecting retail systems since at least 2012, according to eWEEK, but it wasn’t previously discovered because of the high level of encryption inherent in the program.

“We have professional level coding, a really heavy emphasis on obfuscation,”  Maria Noboa, lead technical analyst for cyber-crime with iSIGHT, told eWEEK. “When you think of all these things that it is doing, it is overkill, almost.”

It’s been around long enough to have allowed criminals to steal and upload millions of pieces of credit card data. 

“The program uses a keylogger, RAM scraping and network monitoring to steal the information from credit cards.”

 Malware key on keyboard

Extremely complex
ModPOS is a shortened form of the full name modular point of sale, and refers to the highly adaptive nature of the program. The program uses a keylogger, RAM scraping and network monitoring to steal the information from credit cards swiped at a point-of-sale terminal, according to Gizmodo.

This malware is so powerful that iSIGHT believes it can allow access to the data from both traditional swipe cards as well as the newer and more secure EMV chip enabled cards. The switch to the chip cards was supposed to have stymied POS viruses, but this new program has found a way around that according to RT.

ModPOS is so complex that it took engineers at iSIGHT nearly three weeks to reverse-engineer it – a far cry from the half hour it typically takes them to work on a point-of-sale malware.

Once the program scrapes the information from a transaction, it uses a high level of encryption to obscure the data it uploads to a server. Each stolen record is encoded using a different key so it is nearly impossible to identify what data has been taken.

ModPOS is currently undetectable by virus scanning programs, which has allowed it to spread throughout the retail landscape. Anti-virus providers are now studying iSIGHT’s findings to identify ways the program can be found and eliminated.

Experts believe that this malware infects systems via phishing attacks, eWEEK noted. These attacks are perpetrated by emails or other communications that induce a person to download the program by disguising it as something else. These types of messages are a very common way of introducing a virus into a system.

Companies should implement basic practices when it comes to security. According to eSecurity Planet companies should ensure that point of sale systems are isolated from the Internet behind firewalls, have up-to-date software and use point-to-point encryption to protect data starting at the point of swipe.