As the holiday shopping season swings into high gear, a cybersecurity firm is warning of a “highly sophisticated” malware framework that could pose a threat to U.S. retailers using point-of-sale (POS) systems. Called ModPOS (for “modular POS”), the malware has been seen in the wild as far back as 2012, and was observed actively targeting businesses throughout 2014.
The Texas-based cybersecurity firm iSight Partners released a detailed report on ModPOS and has already briefed “numerous” retailers about the potential threat. The company said its experts are also working with the Retail Cyber Intelligence Sharing Center to help member businesses watch for and defend against the malware platform.
ModPOS is not only difficult to detect, but can be configured to target multiple and specific parts of retailers’ POS systems. Based on some IP addresses observed as they reverse-engineered the platform, iSight researchers believe the malware might have ties to Eastern Europe.
‘Most Sophisticated’ POS Malware to Date
ModPOS was “the most sophisticated point-of-sale (POS) malware we have seen to date,” Stephen Ward, iSight’s senior director of marketing, said a blog post. “In a nutshell, this is not your daddy’s run-of-the-mill cybercrime malware.”
With its complex and sophisticated code base, ModPOS can slip undetected past many types of modern security systems, Ward said. Its modular nature also provides multiple attack routes, with keylogger, POS scraper and uploader/downloader modules that make it possible to target unique aspects of retailers’ POS systems.
ModPOS also features custom plugins and other specialized functions, Ward noted. “Given its sophistication, it has taken our malware analysis ninjas a substantial amount of time to reverse-engineer the software,” he said.
Even Smart-Card Systems Vulnerable
The ModPOS injected shellcode appears to be written in C and features a very large number of functions, according to an intelligence report prepared by iSight researchers. The services injection, for example, has nearly 600 functions, while the typical shellcode has just 0 to five.
One module of ModPOS has been seen capturing credit-card track data out of POS systems’ memories, indicating “possible targeting of any sector that uses POS systems, including retail, food services, hospitality and healthcare.”
Even retailers with more advanced POS systems using EMV smart card (also called chip-and-PIN) technology can be vulnerable to ModPOS, according to iSight. If the POS system isn’t configured to support end-to-end encryption and encrypted data in memory, ModPOS — as well as other malware that uses RAM scraping techniques — can still enable access to customers’ payment card data, Ward said. That data can then be reused for online purchases where the physical presence of a payment card isn’t needed.
In its most recent Data Breach Investigations Report, Verizon found that retailers across 61 different countries on average experienced more than 800 malware attacks a week in 2015. Attacks are also becoming increasingly sophisticated, with some 70 percent using a combination of techniques, according to the report.