• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   RawPOS: Checking in at a Hotel Near You

RawPOS: Checking in at a Hotel Near You

  • Posted on:April 30, 2015 at 1:23 am
  • Posted in:Malware
  • Author:
    Jay Yaneza (Threats Analyst)
0

Casinos and resort hotels are the most recent victims of an attack that used RawPOS, an old POS malware, to steal customer data. The victims include establishments in the United States, Canada, Europe, Middle East, and Latin America.

Touted as the earliest of its kind, very little research and documentation exists about RawPOS. As such, we will attempt to give light on this threat that may have been instrumental to previous credit card breaches documented and not previously attributed to this particular PoS threat.

RawPOS, Then and Now

The earliest reference to RawPOS we came across was around October 2008, with the  Visa Data Security Alert about debugging or parsing memory of point-of-sale systems to extract the full magnetic stripe data from volatile memory. Details from this advisory were observed in other security advisories released in 2008 and 2009.

The latest security advisory regarding RawPOS was released in March 2015. The advisory talks about its involvement with attacks related to the hospitality industry—a report that matches our own findings.

Configurable, Modular Design

RawPOS has a modular design that is highly configurable and has always been a multi-stage scraper. Brought about by pioneers in PoS malware threats, the design they chose has now proven to be enduring till today:

  • The multi-stage or multi-component strategy ensures a high success rate for the chosen environment, while making prevention and detection harder –no matter what type of solution.
  • The threat is still successfully victimizing businesses, and the threat actors behind it are very familiar with how networks within small-to-medium business segments are designed.
  • It is fault-tolerant, persistent and very specific – incident responders and threat investigators may chance upon a specific file that has only been deployed for that specific business.

Multiple Software Support

Aside from being multi-component, RawPOS is notable for its support for multiple PoS software. Since business establishments would have different PoS software, attackers have modified RawPOS’ code to support multiple PoS software over time. Below is a table showing the different PoS software that is supported by RawPOS.


Figure 1. Supported PoS software (click the image to enlarge)

It should be noted that the list is compiled against what Trend Micro had seen in terms of file samples. While this PoS software listing tries to be as complete based on this file samples we have acquired, RawPOS and its components are highly configurable and we can certainly be sure that RawPOS has been modified to adapt to more PoS software.

Additional analysis by Kenney Lu, Dark Luo, Marvin Cruz and Numaan Huq

More details about RawPOS, as well as best practices and available Trend Micro solutions, can be found in our RawPOS Technical Brief.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: POSPOS malwareRawPOS

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.