Russian malware Vskimmer has the capability to steal credit card information from windows systems. Now a new malware is targeting point-of-sale (POS) systems and ATMs. The malware scans the memory of POS systems and ATMs looking for credit card data. It is claimed to have stolen payment card information from several US banks.
Unlike the existing banking malware that infect individual user computers and intercepts online banking credentials and credit card details, attacks on POS systems and ATMs are far more sophisticated.
The modus operandi of this type of malware attack involves infecting of ATMs and physical POS systems, such as stand-alone kiosks and modern cash register systems, to collect secret and sensitive information of debit and credit cards.
Most of the POS/ATM attacks relied on the “help of insiders,” such as the employees in charge of maintaining POS systems and authorised to update the software. A few POS systems running Windows XP or Windows Embedded with Remote Desktop or VNC software were infected remotely, and in some cases, attackers exploited vulnerabilities in ATM networks connecting to the bank’s VPN or GSM/GPRS networks.
The Dump Memory Grabber malware collects Track 1 and Track 2 data and transfers the collected data to a remote command-and-control server. The Track 2 refers to data encoded into the magnetic stripe on the physical credit and debit card, and includes information such as the primary account number, first and last name, and expiration date. Criminals use the collected data and information to create cloned physical cards.
The malware adds itself to the system registry so that it will automatically run whenever the system boots up. The malware’s payload program lists all the processes running on the system and then searches memory for sensitive data. The malware operator can limit the search to the memory of a specific application process or scan across all applications.