Researchers have discovered MalumPoS, a new point-of-sale malware designed to steal credit card data from hotels and other US businesses.
Trend Micro's Kenney Lu described the security firm's discovery in a blog post last week. The point-of-sale (POS) malware targets sales systems in hotels and other industries in the United States in order to scrape valuable credit card data which can then be used to create cloned cards, empty victim bank accounts or be sold on the black market.
MalumPoS is designed to collect data from POS machines running on Oracle MICROS, a payment system used by restaurants, hotels, the retail sector and the enterprise -- and is used in approximately 333,000 customer sites worldwide.
"If successfully deployed by a threat actor, this PoS RAM scraper could put several high-profile US-based companies and their customers at risk," Trend Micro says.
While the security firm did not reveal how the malware reaches systems, the company says MalumPoS -- written in the Delphi programming language -- is able to monitor running processes and scrape the memory content of infected processes and RAM. If a credit card is swiped by an infected machine, the malware is able to steal stored data such as cardholder names and account numbers.
MalumPoS is designed to be configurable, which means that threat actors can change or add other POS system processes, targets and areas to be scraped. For example, MalumPoS could be configured to include Radiant or NCR Counterpoint PoS systems to its target list -- placing a wider field of retailers at risk.
Once installed in a system, the malware disguises itself as "the Nvidia Display Driver," and is sometimes stylized as the "Nvidia Display Driv3r." Nvidia generally does not play an important part in POS systems, but the familiarity of the branding and drivers -- an important component in systems used to make sure peripherals function correctly -- could set victim minds at ease by appearing legitimate to the average user.
Aside from Oracle MICROS, Trend Micro says the malware also targets Oracle Forms, Shift4 systems and systems accessed via Internet Explorer. The majority of targets are based in the United States.
The malware is also selective when it comes to the types of credit card data scraped and focuses on Visa, MasterCard, American Express, Discover, and Diner's Club.
The following indicators are used in the POS stage:
Speaking to ZDNet, Steve Sommers, SVP of Applications Development with Shift4 commented:
"The Trend Micro brief, based on a 2014 report, is likely referencing 2013 data that is no longer valid. Since then, PAR Springer-Miller has recertified with Shift4 with a fully tokenized and P2PE hardware based solution.
This means that any memory scraping malware is rendered useless in gathering cardholder data. Swipe information and hand-keyed payment information is encrypted at the point of entry, which then flows through Shift4's Universal Transaction Gateway as an encrypted block. Keys do not exist at the merchant location to decrypt this information.
Combined with 4Res, which is used to tokenize payment information contained in reservation requests from third parties, all payment information at the merchant property is tokenized. Thus, tokens or encrypted P2PE card blocks are all that can be scraped."
In May, researchers from FireEye discovered NitlovePOS, a new POS malware strain which infects users through phishing campaigns. The phishing campaign entices victims to download malicious payloads through spoofed Yahoo! mail accounts and fraudulent emails relating to job opportunities, internships and resumes -- a subject which would persuade most businesses to click.