Trend Micro Warns of New MalumPoS Point-of-Sale Malware


Trend Micro researchers recently uncovered MalumPoS, a new configurable RAM scraper designed to target point-of-sale (PoS) systems.

MalumPoS is currently designed to collect data from PoS systems running Oracle MICROS, which Oracle says is used at 330,000 customer sites worldwide, including hospitality, food and beverage and retail locations. Other targets include Oracle Forms, Shift4, and systems accessed via Internet Explorer. But because MalumPoS was designed to be configurable, it could also be reconfigured to target other PoS systems in the future.

"In general, PoS RAM scrapers like MalumPoS are designed to scrape off credit card data from an infected system's RAM," Trend Micro threats analyst Jay Yaneza wrote in a blog post. "Every time the magnetic stripe of a credit card is swiped, the malware can steal stored data such as the cardholder’s name and account number. This data can then be exfiltrated and used to physically clone credit cards or, in some cases, commit fraudulent transactions like online purchases."

Other key characteristics of MalumPOS, Yaneza noted, include the fact that it disguises itself as "NVIDIA Display Driv3r" once installed, and that it uses regular expressions to search specifically for Visa, MasterCard, American Express, Discover and Diner's Club card data.

Rapid7 security engineering manager Tod Beardsley told eSecurity Planet by email that the discovery of MalumPoS should serve as a reminder that criminals now see a point-of-sale system as just another kind of computer that can be targeted with malware. "Unfortunately, this is a realization that many companies still have not realized in a practical way," he said. "If a device has a USB slot, has an Ethernet port, or is on a wireless network, then it is possible to attack it and alter it."

And most point-of-sale systems, Beardsley noted, already have several strikes against them. "They are often running on out-of-date, unpatched platforms (such as Windows XP), they are rarely audited and maintained by dedicated IT security staff, and configurations are often in the default state, including default administrator passwords," he said.

Now that criminals understand the risk posed by out-of-date PoS systems, Beardsley said, retailers need to do the same. "End users of these systems need to start demanding reasonable security from their vendors that includes easy-to-use 'first boot' procedures to custom configure their enterprise, a reasonable patch management schedule, and regular updates against known threats vulnerabilities," he said.

A recent eSecurity Planet article offered several tips on improving point-of-sale security.

[UPDATE: Shift4 provided the following statement to eSecurity Planet regarding Trend Micro's findings: "The Trend Micro brief is based on a 2014 report, which is most likely referencing 2013 or prior data. Since this time, PAR Springer-Miller has recertified with Shift4 with a fully tokenized and P2PE hardware based solution, which renders any memory scraping malware useless for gathering cardholder data. Swipe information and even hand-keyed payment information is encrypted at the point of entry and flows through our Universal Transaction Gateway as an encrypted block. Keys do not exist at the merchant location to decrypt this information. This, combined with 4Res®, which is used to tokenize payment information contained in reservation requests from third parties, means that all payment information at the merchant property is tokenized and tokens or encrypted P2PE card blocks are all that can be scraped."]