Datacap Logo

The anatomy of a POS malware attack

 Blue Security Icon

When attempting to get a handle on cybersecurity in a retail business, the most important piece of technology is the point-of-sale system. These are the nexuses of information that are most enticing to a cybercriminal, as they are the place where all customer’s payment card data is found.

In a report last year, cybersecurity company Trustwave found that 33 percent of all data breaches reported in 2013 came from attacks on point-of-sale systems. Though the new EMV chips are supposed to reduce these types of attacks, the adoption of the new technology has been slower than expected and many companies are still vulnerable.

But how do these attacks actually work? What do cybercriminals do to scrape data out of these systems? Here is what one type of point-of-sale breach might look like:

Launch an attack
The first thing hackers have to do in order to compromise a system is to find a way in. According to IT Business Edge, these types of attacks begin very broadly, with hackers installing a piece of software called an ‘exploit kit’ on a popular website that many people browse in any given day. By accessing that site, the user gives the hacker access to their computer via the kit.

The kit takes the information of each computer it is able to access and the hacker then determines what type of exploit he or she can use to attack. If the exploit succeeds, malware will be downloaded to the victim’s computer and, through that program, the hacker will gain access to the network the computer is operating on, according to Malwarebytes.

 Malware Key on keyboard

Find the target
This type of behavior can ensnare thousands of machines, from home computers to office desktops, including those at schools and universities. The hackers aren’t generally interested in those types of systems though, but instead will look to focus their attention on systems owned by retailers in an effort to find cardholder data.

They can determine the type of computer and its location by using the IP address and by looking at the installed programs and files, according to IT Business Edge. The hackers then find the largest retailer that they have gained access to and to attack its point-of-sale system.

Compromise the point-of-sale
Once a viable target has been found, the hackers turn their attention to the internal network of the retailer that has been infiltrated. It is likely that the initial attack will allow access to a computer on a corporate network, but probably not the point-of-sale system itself. These are not often used for Web browsing and probably won’t have visited the site with the exploit directly, so the hackers have to go in through the network.

But once a hacker is in the corporate network, they can use it to remotely access many other systems that are also installed there. Among those systems will be the point-of-sale terminals that the retailer maintains.

Once they have access to those machines, they will install another piece of malware specifically on the point of sale systems that will carry out the actual data theft, IT Business Edge reported.

Reel in the data
The final step in the attack is to wait for credit cards to be scanned at the point of sale terminal. During a transaction, the raw, unencrypted credit card data is stored briefly in the RAM of the point-of-sale system (for POS not using an out-of-scope, encrypted payments solution). The installed malware scrapes that data from the RAM and saves it for later use by the cybercriminal, according to a Trend Micro report.

Once sufficient time has passed, a hacker merely needs to go back into the point-of-sale system they have already gained access to and send the the stolen data either by file transfer or email to an offsite location where they can take and sell it to the highest bidder.