Dangerous New Point-Of-Sale System Malware
Brand New Credit Card “Skimming” Malware Threatens Safe Holiday Shopping
Security experts have identified a new strain of point-of-sale malware, known as Getmypass. It is also known as POSCardStealer, and Getmypos. It is an information exfiltration program that steals credit and debit card information at physical retail locations. It was unknown to 55 top antivirus programs the day before Thanksgiving. Now more than 28 recognize it as of today (December 10th).
This new strain of malware seems to be still under development, so it may not have been able to fully capitalize on that head start. Getmypass is a RAM scraper designed to infect point-of-sale devices such as payment-card readers. It read the card reader’s running memory for card data immediately after the customer card swipe. The data is encrypted nearly right away, but that split second is all the RAM scraper needs.) The pieces of malware used in the Target and Home Depot data breaches were also RAM scrapers.
Nick Hoffman of the blog Security Kitten discovered and named Getmypass (after a password buried in the code) last Wednesday, and researchers at security software company Trend Micro followed with their own analysis on Thanksgiving. Hoffman ran the malware’s hash, or digital fingerprint, through the 55 antivirus screeners on free malware-analysis website VirusTotal and got no results — none recognized the malware.
In real-life scenarios, many antivirus programs would have discovered Getmypass through behavioral analysis, although the malware has a trick up its sleeve to fool some of them: it was digitally signed by using a digital certificate of authenticity from a publisher named “Bargaining Active.”
The fact that it initially went undetected may be cause for concern, but while the malware can steal card data, it is missing the abilities to log keystrokes, collect login credentials or even move card data to a remote server.
LusyPOS, another malware straing that uses similar techniques, targets PoS systems, uses the TOR (The Onion Router) network to communicate with it’s Command and Control systems, and has been seen offered for sale on black market forums, complete with different levels of hosting, support, and access to the source code and to newly compiled versions designed to evade hash-based virus scanners.