How Does POS Malware Work?

POS malware attack 2

So in the last two years there have been over 400 retail companies, including many big national chains, that have fallen victim to the BackOff or other Point of sale (POS) malware exploits, revealing millions of credit card and customer records.  So how does this exploit work?

My friends at Calyptix Security sent me another article that should be interesting to anyone who is running a retail store, and using a computer based point of sale (POS) system.  The article explains how point of sale malware manages to defeat the encryption that is inherent in most POS systems.  The basic threat exists in the few microseconds between the time the credit card is swiped and the data is encrypted by the software.  There is a brief interval (much less that a second) when the credit card data is on the system memory (RAM) in its basic unencrypted form.  The current crop of POS malware uses a technique called “RAM scraping” or “memory dumping.” 

The top three exploits used in POS malware attacks are listed below.  Most of the current crop use two or more of these techniques.

  • RAM scraping or memory dumping.  This takes advantage of the brief period of opportunity that exists when the data is on the memory modules, and copies the information to a log file which is transmitted periodically to the command and control server run by the cyber-thieves.  The only way to detect this type of attack is through regular monitoring of your network for unusual traffic or network connections to far-flung IP addresses.
  • Keylogging.  This exploit keeps track of information manually entered via a keyboard or even a barcode scanner, and can even take screenshots or activate and record video from an attached web camera.
  • Network sniffers.  These programs are a bit old-school, since once the card information is on the network, it has been encrypted and will remain so throughout transmission.  Nevertheless, some malware exploits will include a sniffer as part of an overall plan to locate and identify POS systems on the network.

If you are not monitoring your network traffic (and you know you aren’t), then you have no way to know if your POS system has been breached, at least not until your bank or card processor informs you.  By then you will be subject to regulatory and industry fines and increases in the transactional costs of credit card purchases going forward.  Not to mention the bad publicity, and the loss of business from customers who may decide never to return.

Your business is not too small to be victimized in this way.  The large enterprise and multinational retail changes have information security departments (well they all do NOW) and high-priced outside consultants who make sure that threats are barred at the door, or at the worst, detected early and neutralized before the damage becomes severe.  For the smaller retailer there are smaller consultancies such as our own that can help you set up a security and network monitoring system for your business that you can still afford.  It would be wise to get started on a security strategy today.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.