Point-of-sale malware

Point-of-sale malware (POS malware) is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system.[1] The simplest, or most evasive, approach is RAM-scraping, accessing the system's memory and exporting the copied information via a remote access trojan (RAT) as this minimizes any software or hardware tampering, potentially leaving no footprints.[2] POS attacks may also include the use of various bits of hardware: dongles, trojan card readers, (wireless) data transmitters and receivers.[3] Being at the gateway of transactions, POS malware enables hackers to process and steal thousands, even millions, of transaction payment data, depending upon the target, the number of devices affected, and how long the attack goes undetected.[4] This is done before or outside of the card information being (usually) encrypted and sent to the payment processor for authorization.

A point of sale card terminal

List of POS RAM scraper malware variantsEdit


It was discovered in 2011, and installs itself into the Windows computer as a service called rdasrv.exe.[5] It scans for track 1 and track 2 credit card data using Perl compatible regular expressions which includes the customer card holder's name, account number, expiry date, CVV code and other discretionary information. Once the information gets scraped it is stored into data.txt or currentblock.txt and sent to the hacker.


It was discovered in October 2012 and gets installed into the PC automatically. It gets embedded into the Auto It script and loads the malware into the memory. Then it scrapes credit card (CC) data from POS software.[6]


Vskimmer scrapes the information from the Windows system by detecting the card readers attached to the reader and then sends the captured data to the cyber criminal or control server.[7]


It was discovered in December 2012 to steal system information along with the track 1 and track 2 card details with the help of keylogger installed onto the computer.


It is a spyware, created to steal credit and debit card information from the POS system. BlackPOS gets into the PC with stealth-based methods and steals information to send it to some external server.[8]


This memory-scraping malware tracks Track 2 data to access the card magnetic stripe with the help of magnetic stripe readers and sends data to hacker to clone fake credit cards.


FastPOS Malware is a POS malware that was discovered by Trend Micro researchers. This strikes the point of sale system very fast and snatches the credit and debit card information and sends the data to the cyber criminal instantly. The malware has the capability to exfiltrate the track data using two techniques such as key logger and memory scraper.[9][10][11]

PunkeyPOS MalwareEdit

PandaLabs discovered this malware and it infects the point of sale system to breach credit and debit card details.[12] PunkeyPOS Malware uses two functions such as keylogger and RAM Scraper to steal information at Point of Sale Terminal.[13] Once the information is stolen, it is encrypted and sent to cybercriminal's Control and Command Server (C&C).[14]

Multigrain MalwareEdit

This new variant of pos malware or point of sale malware was discovered by FireEye.[15] It follows new advanced technique to steal retail customer's card information with the help of Lunh Algorithm.[16] To exfiltrate the stolen information it first block http and ftp traffic that monitors the data exfiltration. It belongs to the family of NewPosThings malware.[17]

CenterPOS MalwareEdit

CenterPOS is a POS (Point of Sale) Malware that been found in the year 2015 of September along with the other malicious malware such as BlackPOS, NewPOSThings and Alina Malware by FireEye Experts.[18] It scrapes the stolen credit and debit card and sends the data HTTP POST request with the help of Triple DES encryption.

MalumPOS MalwareEdit

MalumPOS is a point of sale malware that records point of sale's data which is running in an Oracle MICROS payment system and has breached 333,000 data's all over the world. It uses Delphi programming language for stealing the credit and debit card details. The stolen data is then sent to the cyber criminal or sold in the black market.

See alsoEdit


  1. ^ Orla (Nov 25, 2015). "Demystifying Point of Sale Malware and Attacks". Symantec.
  2. ^ "The continuing threat of POS malware". Trend Micro. May 1, 2017.
  3. ^ "Malware Targeting Point of Sale Systems". Alert. U.S. CERT. Jan 2, 2014. TA14-002A.
  4. ^ "What is POS Malware? - Point of Sale Malware Definition and FAQ". Comodo. Retrieved Nov 4, 2016.
  5. ^ Rdasrv POS RAM Scraper Malware
  6. ^ Constantin, Lucian (18 December 2014). "Point-of-sale malware creators still in business with Spark". Retrieved 4 November 2016.
  7. ^ "vSkimmer botnet targets card payment terminals". Info Security. 25 March 2013.
  8. ^ "Researchers find new point-of-sale malware called BlackPOS". Retrieved 4 November 2016.
  9. ^ "FastPOS malware instantly delivers stolen credit card data". 3 June 2016. Retrieved 4 November 2016.
  10. ^ "FastPOS: Quick and Easy Credit Card Theft - TrendLabs Security Intelligence Blog". 2 June 2016. Retrieved 4 November 2016.
  11. ^ "FastPOS Malware Breaches and Delivers Credit Card Data Instantly". Retrieved 4 November 2016.
  12. ^ "News Alert! PandaLabs Discovers New POS Malware". 23 June 2016. Retrieved 4 November 2016.
  13. ^ PunkeyPOS Malware
  14. ^ "New Episode of Punkey PoS Malware Airs". Retrieved 4 November 2016.
  15. ^ "MULTIGRAIN – Point of Sale Attackers Make an Unhealthy Addition to the Pantry « Threat Research Blog". Retrieved 4 November 2016.
  16. ^ "New Multigrain Malware steals Point of Sale Data Over DNS". Retrieved 4 November 2016.
  17. ^ Constantin, Lucian (20 April 2016). "New point-of-sale malware Multigrain steals card data over DNS". Retrieved 4 November 2016.
  18. ^ https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html CENTERPOS: AN EVOLVING POS THREAT