Why credit card data stealing point-of-sale malware is still such a big problem

Old hardware, vulnerabilities in unsupported operating systems and malware files that are so small they're virtually undetectable mean that point-of-sale (POS) malware is thriving as a key method for cyber criminals looking to steal credit card data and other personal information.

Planet Hollywood and Buca di Beppo are just some of the latest brands to have uncovered POS malware on their systems – but only after the malware had been actively exfiltrating data for almost a year.

Researchers at security company Forcepoint have spent the last 12 months analysing 2,000 samples of POS malware and found that many were hand-crafted, written in assembly code and very small in size, dubbing them 'TinyPOS'.

Of the 2,000 samples analysed, 95 percent were loaders used to distribute malware to systems. In theory, it shouldn't be difficult to protect against what's ultimately quite a simple attack, but many organisations are using POS software and hardware that's old and out of date, and it can do a lot of damage.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

"It's due to the software that's running on it. On the 5th April this year, Microsoft announced end of support for the operating system POS Ready 2009 – and we found that some of this malware is suitable for that system. The software is ten years old," Carl Leonard, principal security analyst at Forcepoint told ZDNet.

"There's also legacy hardware that's riddled with vulnerabilities that is incredibly difficult to patch," he added.

Once the loaders are on the system, they'll download a mapper component that gathers information about the machine and environment to examine it and check it's really a POS unit – something which researchers believe attackers deploy in order to ensure they only target specific retailers. 

And many retailers – especially in the US, where swiping cards remains more common than chip and pin or contactless payments – are accidentally providing attackers access to easy paydays.

"The standards of a swipe action are such that even now merchants are storing that information – albeit it offline – in plain text in unsecured databases. It's still amazing that it happens given the attention being put on securing data, but it still does," said Leonard.

Often the problem with POS malware is that it's stealthy, so finding out it's on the system can be an issue, let alone discovering how it got there. 

While it isn't totally known how the malware is deployed, Forcepoint has theories – especially when the target is a smaller chain that may not have the security capabilities that a larger retailer may have.

"We know that remote access tools are run on these POS terminals because it's physically challenging to travel around to different physical locations. Maybe it's something to do with a remote access tool and credential re-use across systems from third-party administrators," Leonard said.

READ MORE ON CYBER SECURITY

• Point of sale malware campaign targets hospitality and entertainment businesses
• 5 things to consider when picking a credit card processor CNET
• One of the oldest forms of POS malware has been tweaked to avoid detection
• If you recently shopped at Forever 21, your credit card may have been stolen TechRepublic
• How one hacked laptop led to an entire network being compromised