Unwelcome cyber ‘guest’ visits retailers for holidays

A new type of POS malware has been attacking POS systems at U.S. retailers for some time, and has been identified as the holiday shopping season begins.

Experts at Dallas-based global cyberintelligence firm iSight Partners have identified a hard-to-detect malware called ModPOS, which is short for modular POS system. iSight says ModPOS is the most sophisticated malware it has seen to date.

ModPOS can be configured to target specific systems with components such as uploader/downloader, keylogger, POS RAM scraper and custom plugins. The malware can then be used for activities such as stealing customer payment credentials and spying on a network, and could also potentially be leveraged for additional uses.

ModPOS uses multiple methods of obfuscation and encryption that enables the malware to evade most modern security systems. iSight believes it has been in use as far back as 2012, with known activity in late 2013 and active targeting of U.S. retailers through 2014. IP addresses and other factors lead iSight to suspect ModPOS originated in Eastern Europe, but this is not definite.

Although using EMV-compliant POS software and hardware can help reduce the likelihood of infestation by ModPOS, iSight cautions EMV alone cannot fully prevent the malware from compromising a retailer’s network. Retailers are advised to support end-to-end encryption, including encrypting data in memory, to prevent ModPOS’ RAM scraping techniques from obtaining customer payment data for use in fraudulent POS transactions.

iSight is currently working with retailers and the Retail Cyber Intelligence Sharing Center to help inform retailers of the situation and combat the malware.