A new kind of point-of-sale malware, which uses multiple layers of obfuscation and encryption to cover its tracks, has been identified by security researchers—and is being help up as the most complex software of its kind yet to be identified in the wild.
Security researchers at iSight have identified the malware which they’ve dubbed ModPOS, short for Modular Point Of Sale. The software uses a wide range of tricks, such as key-logging, network monitoring and RAM scraping, to acquire the credentials of customers whose details pass through an electronic point-of-sale.
The malware then uses a complex series 128 bit and 256 bit encryption to obscure the data it uploads to remote servers. Each customer’s details are encrypted using a different private key, making it almost impossible to identify what data is being stolen.
The researchers at iSight attempted to reverse engineer the software, and found it took three solid weeks of work. By comparison, it normally takes them about half an hour for most POS malware. Speaking to The Register, Steve Ward from iSight explained:
“This is POS [point-of-sale] malware on steroids. We have been examining POS malware forever, for at least the last eight years and we have never seen the level of sophistication in terms of development …[engineers say] it is the most sophisticated framework they have ever put their hands on.”
Sadly, the report also explains that the malware has been in use around the U.S. since 2013, and iSight predicts it’s already been used to steal details for “multiple millions” of debit and credit cards. So far, the researchers have briefed 80 different U.S. companies about the effects of ModPOS, though those affected haven’t been publicly named.
While it’s thought the problems largely affect transactions performed by swiping a card’s magnetic strip, it’s believed that the more secure chip-and-pin system could also be vulnerable to the malware.
Fortunately, banks are often able to spot nefarious activity on accounts using machine learning and big data—which is good, because there’s no way of knowing as a customer if a point-of-sale device is infected with malware.