Skip to main content

Six things you need to know about ModPOS; the most advanced PoS malware ever seen

Retailers and shoppers alike are being warned of a new malware on sales tills which is said to be the most advanced and complex Point of Sale (PoS) malware ever seen. ModPOS has swiped millions of dollars from debit and credit cards used in large US retailers, remaining undetected for at least 18 months.

ModPOS is a small glimpse at the future. As cybercrime becomes more and more profitable, more and more professionally built malware frameworks like ModPOS will emerge. Estimates have put the credit card fraud numbers over $18 Billion USD and the total cost of cybercrime over $400 Billion USD.

At some point it will be more profitable to build malware than the solutions that prevent it. What happens when the bad guys can offer the best engineers more perks than some of the world’s biggest software and technology firms? If you believe in the laws of supply and demand, it paints a grim possibility.

What is it?

ModPOS is a highly sophisticated criminal malware framework that has recently been discovered and reported by iSIGHT Partners, a firm in Dallas, TX. It infects Point of Sale (POS) systems and steals credit card details and other personal information from these machines as they process transactions. It has been out in the wild for at least 18 months and its sophisticated detection avoidance capabilities have hidden it almost completely all that time.

How advanced is it?

ModPOS is hailed as being so advanced because it’s comprehensive and elegant. Much malware is like a one trick pony. It does one thing well but falls down in many other places. That makes it relatively easy for experts to detect and reverse engineer. ModPOS has survived in the wild for a very long time because it dedicates much of its energy to avoiding detection. It also has a modular design which allows it to adapt, e.g. it can spin up a special module to examine unencrypted memory to defeat poorly implemented chip and pin designs.

That thorough self-protection and its faceted functionality make it very complete, but it’s the way it does this which makes it elegant. ModPOS is compact and uses well-constructed code to accomplish its goals. It’s the model for the new age of professional bad guys who aren’t interested in defacing websites rather simply making money. ModPOS is the poster child for cybercrime for profit.

What is most interesting about this malware?

The most interesting thing about ModPOS is how quiet its creators have been. It’s a comprehensive and elegant piece of code for sure, but the fact that no one is bragging about it portrays its most dangerous aspect.

ModPOS has been built to purpose by professionals with very specific, well executed vision that were disciplined enough to simply deploy it, keep quiet, and collect the money. The world of black hat hacking has almost always had an element of bragging, and that’s completely missing from this. ModPOS is a silent, professional assassin in a world of screaming, show off marauders.

How widespread is it?

Given the difficulty in detecting the presence of ModPOS and its professionally elegant form, it could be in a huge number of places doing harm right now and we would not know. You can view the focus of its creators in two ways. Either they were just as focused in their targeting and ModPOS is only in a few choice places to maximise its harm there, or it’s been silently slipped into every available spot to maximise the revenues until it gets outed.

How can retailers check if they have been infected?

One of the scariest parts of ModPOS is exactly how hard it is to detect. For the moment, it seems all many can do is wait for their malware detection solutions to catch up and include ways to spot it. For the very advanced, iSIGHT will be holding webinars making details available and also on their site so that the entire community can start to build defences against this threat.

What can consumers do?

The consumer can’t do much to directly protect against ModPOS, but they should be doing the same things they’re always supposed to do. Regularly review your credit card and banking transactions to spot things that look out of the ordinary.

Take any calls from your financial provider’s fraud department very seriously, and, on the flip side, know how to contact those fraud departments if you think something may be wrong.

Jonathan Sander, VP of Product Strategy at Lieberman Software

Image source: Shutterstock/wavebreakmedia