PoS (point-of-sale) malware

What are PoS?

A PoS device is designed to complete a retail transaction. It calculates the amount customers must pay for their purchases and provide options for customers to make said payment. PoS devices are connected to the Internet to authorize transactions by sellers.   

Most PoS devices run on some variant of Windows and Unix. The decision to run on Windows could be seen as an advantage: it’s easier to run, maintain, and develop apps for devices running on Windows. On the flip side, it also means that malware can run on these systems, given that these are like stripped-down computers.  

How do PoS malware work?

The goal of PoS malware is to steal information related to financial transactions, including credit card information.

However, because of the nature of PoS devices, routines of PoS malware differ from other data stealing malware. The payment card industry uses a set of security standards that enforce end-to-end encryption of sensitive payment data—which comes from the card’s magnetic strip or chip—when it is transmitted, received or stored. Decryption only occurs in the PoS device’s random-access memory (RAM), where it is processed. PoS malware specifically target the RAM to steal the unencrypted information—a process called "RAM scraping."

In order to perform RAM scraping, PoS malware often look for security lapses to enter the system. Such may include default login credentials or compromised partner systems. Once inside, the PoS malware can select which data to steal and upload to a remote server. It comes as no surprise then that most PoS malware come equipped with backdoor and command-and-control features.

PoS malware do come with limitations. The stolen information cannot be used to make purchases online. The magnetic strip and the chip do not contain the CVV2—the three-digit code on the card that’s required for online shopping. To use the stolen information, a person has to physically clone the credit card.

Notable PoS Malware

PoS malware received a lot of attention from the public after it was revealed that US retailer Target suffered a massive data breach that affected an estimated 110 million customers—nearly a third of the US population. Analysis indicated that the malware involved in this breach are detected as TSPY_POCARDL.AB and TSPY_POCARDL.U. Security researchers believe these malware are part of the BlackPOS/Kaptoxa malware family. 

Another PoS malware family that gained notoriety is the DEXTER PoS family. Reports of this family surfaced around the end of 2012. This malware was said to be found in PoS systems of popular establishments, hotels, and other businesses.

Protection Against PoS Malware

Admittedly, PoS malware is more of a concern for retailers than customers. However, users should still be vigilant about protecting their accounts. Regularly monitoring statements is a good way to check for fraudulent purchases, data breach or not. Real time identity theft monitoring is highly recommended.

Businesses should check to see if their existing set-ups could be improved. For instance, PoS systems could benefit from whitelisting or locked down systems. Allowing only specific apps to run in the system will make it harder for malware to run on PoS devices.

Network defense solutions should also be employed as they can detect unusual network behavior, like the installation of malware across numerous devices or the amount of data being moved within the network.

General security practices also apply for protection against PoS malware. For example, using strong passwords and updating applications can thwart attempts to access the system via guesswork or exploits. Installing a firewall can help block cybercriminals from gaining access to and from the affected network.  

Trend Micro protects customers from the threats mentioned in this article. Below are some Trend Micro products and services that can help users and businesses protect their computers from PoS malware:

  • Trend Micro™ Titanium™ Maximum Security
  • Trend Micro™ Officescan™
  • Trend Micro™

Other PoS Malware Resources


Research Papers

Online Article