Crooks are infecting sales registers running Oracle-owned MICROS software with malware tailor-fitted to steal bank card information from the machines.
MalumPoS scrapes sensitive data from the RAM inside the tills, which are used in places from shops and restaurants to hotels and bars. The software nasty can be easily modified to target other systems, Trend Micro warns.
MICROS is used in 330,000 places worldwide although the bulk of the companies using this platform are concentrated in the United States. Aside from Oracle MICROS, MalumPoS also targets Oracle Forms and Shift4 systems.
RAM scrapers like MalumPoS are designed to find credit card data in an infected system's main memory. Every time the magnetic stripe of a credit card is swiped, the malware can locate and steal data such as the cardholder’s name and account number. This unencrypted data is subsequently siphoned off and used to make counterfeit credit or debit cards.
Once installed on a compromised system, MalumPoS disguises itself as “the NVIDIA Display Driver.” Meanwhile, in the background, MalumPoS uses regular expressions to sift through memory and locate fresh credit card information. MalumPoS selectively looks for data resembling Visa, MasterCard, American Express, Discover, and Diner’s Club cards.
MalumPoS works just like the RAM scraper planted on the checkout terminals in Target stores across the US. The malware grants crooks access to tons of financial data in a raw, unencrypted format. There are several different families of such malware but even so the appearance of new variants, in this case MalumPoS, gives retailers and IT security watchers the fear.
Trend's technical write up of the malware can be found in a 13-page PDF here.
Tod Beardsley, Rapid7’s security engineering manager, added: “The latest report on MalumPOS is another proof point that criminals are understanding that point-of-sale systems are simply another kind of computer, and general-purpose computers all have the opportunity to run malware. Unfortunately, this is a realisation that many companies still have not realised in a practical way. If a device has a USB slot, has an Ethernet port, or is on a wireless network, then it is possible to attack it and alter it."
"Understanding that point-of-sales devices are attackable computers is just the first step in addressing the problem. Unfortunately, POSes have several strikes against them. They are often running on out-of-date, unpatched platforms (such as Windows XP), they are rarely audited and maintained by dedicated IT security staff, and configurations are often in the default state, including default administrator passwords," he added.
Shift4 has been in touch with The Register<i/> to take issue with Trend's remark that its systems, as well point of sale terminals running Oracle-owned MICROS software - the main focus of Trend's research - might be vulnerable. Its latest technology is hardened against memory scraping malware, according to Shift4.
The Trend Micro brief is based on a 2014 report, which is most likely referencing 2013 or prior data. Since this time, PAR Springer-Miller has recertified with Shift4 with a fully tokenized and P2PE hardware based solution, which renders any memory scraping malware useless for gathering cardholder data.
Swipe information and even hand-keyed payment information is encrypted at the point of entry and flows through our Universal Transaction Gateway as an encrypted block. Keys do not exist at the merchant location to decrypt this information.
This, combined with 4Res, which is used to tokenize payment information contained in reservation requests from third parties, means that all payment information at the merchant property is tokenized and tokens or encrypted P2PE card blocks are all that can be scraped.