BlackPOS Malware

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

BlackPOS or Interprocess communication hook malware is a type of point-of-sale malware or spyware program which was specifically designed to be installed in a point of sale (POS) system to scrape data from debit and credit cards.[1][2] This is very different from the normal memory-scraping malware that scrapes all the data and needs filters to extract the target data. This specifically hooks into the track information, thus it is called an interprocess communication hook. Once this malware gets installed it looks for the pos.exe file in the system and parses the content of the track 1 and track 2 financial card data.[3][4] The scraped data is then encoded with a base64 algorithm and stored to the magnetic strip on the back of the card. The encoded data is then moved to the second machine through SMB[clarification needed]. BlackPOS is the malware which was involved in the Target Corporation data breach of 2013.[5][6]


The BlackPOS program first surfaced in early 2013 and affected many Australian, American, and Canadian companies, such as Target and Marcus Neiman, that had incorporated point-of-sale systems into their companies. The virus, also known as 'reedum' or 'KAPTOXA', was originally created by 23 year-old Rinat Shabayev and later developed by 17-year-old Sergey Taraspov, better known by his online name, 'ree4'. The original version of BlackPOS was sold on online black market forums by Taraspov for around $2000 but became cheaper and more readily available once the source code for the malware leaked onto the web.[7][8][9][10]

How It Works[edit]

BlackPOS infects computers running on Windows operating systems that have credit card readers connected to them and are part of a POS system.[11] POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials. BlackPOS is a standard memory-scraping malware, with exception that the virus is only limited to the pos.exe files in the infected POS system.[12] Once the desired POS system is infected, the malware pinpoints the process corresponded with the card reader and steals payment card Track 1 and Track 2 data, the information stored on the magnetic strip of payment cards, from its system's memory.[11][13] Once stolen, the information can be cloned onto blank credit cards to be sold for black market use or used for personal reasons.[7] This results in the consumer personal information being compromised and usable by anyone with access to the information. Unlike other POS malware, such as the vSkimmer, BlackPOS does not have an offline data extraction method, as the captured information is uploaded to a remote server online. This makes it easier for hackers as they do not need to be in the proximity of the infected systems to retrieve consumer information.[10][11] Furthermore, hackers may try hide the virus from detection by programming BlackPOS to only send stolen information during certain time frames. By doing so, they can mask the traffic the information creates during normal work hours, making it seem as if nothing suspicious is going on.[14]


BlackPOS has been used to steal customer information from businesses worldwide. The most well-known attack occurred back in 2013 to the mega-store chain, Target.


During Thanksgiving break of November 2013, Target's POS system was infected with the BlackPOS malware. It was not until mid-December that the mega-store became aware of the breach in their security. The hackers were able to get into Target's systems by compromising a company web server and uploading the BlackPOS software to Target's POS systems. As a result of this attack, more than 40 million customer credit and debit card information, and more than 70 million addresses, phone numbers, names, and other personal information, was stolen from its mainframes. In the end, about 1800 U.S. Target stores had been affected by the malware attack.[15]

Neiman Marcus[edit]

Target, however, was not the only business affected by this software. Neiman Marcus, another well-known retailer, was affected as well. Their computer database were said to be infected in early July 2013 and was not fully contained until January 2014. The breach is believed to involve 1.1 million credit and debit cards over the span of several months. Although credit and debit card information was compromised, Neiman Marcus issued a statement saying that Social Security Numbers and birthdates were not affected, among other things.[16][17] Companies, such as UPS, Wendy's and Home Depot, have also claimed to have been affected by BlackPOS as well, although there have been reports that state that the breaches were not caused by malware virus.[18][19]


There are two ways to detect BlackPOS activity in POS systems based on how the malware works:[20]

  • identifying the transfer of encoded track data via a server message block (SMB)
  • recognizing attempted SMB writes to a fixed drop location

Transfer of Encoded Track Data[edit]

The first strategy to detect BlackPOS uses the fact that the first 15 characters of stolen track data always consists of digits. As a result, there are only a limited amount of combinations that can be produced, which means that there is a predictable pattern that can be followed. In addition, the encoding outputs from "000" to "999" result in a string that always begin: “M1”, “Mf”, “Mh”, “Ml”, “T1”, “Tf”, “Th”, “Tl”, “sh”, or “sl”.[20]

SMB Writes to Drop Location[edit]

The second way to identify BlackPOS's network activity is by its dropping of a file to a specific location using a fixed filename format. An example given by "Security Intelligence" checks if a file has a path and name that matches the format below is being written: \WINDOWS\twain_32\*_*_*_*.txt The strategy can be demonstrated with the following OpenSignature rule: alert tcp any any -> any 445 (msg:"KAPTOXA File Write Detected"; flow:to_server,established; content:"SMB|A2|"; content:"\\|00|W|00|I|00|N|00|D|00|O|00|W|00|S|00|\\|00|t|00|w|00|a|00|i|00|n|00|_|00|3|00|2|00|\\"; pcre:"/.*_.*_.*_.*\.|00|t|00|x|00|t/"; sid:1;)[20]

Prevention According to the PCI Security Council, businesses should keep their malware prevention software updated frequently to lower the chance of infection. In addition, system logs should be regularly checked for irregular activity within servers as well as monitoring for large data files being sent to unknown sources. Companies should also require that all login credentials be updated regularly and provide instructions on how to create safer and more secure passwords.[11][13][18]

See also[edit]


  1. ^ "What is BlackPOS Malware"
  2. ^ "A First Look At The Target Intrusion, BlackPOS Malware"
  3. ^ "Survey of Point of Sale Malware"
  4. ^ "POS Malware Revisted"
  5. ^ "BlackPOS involved in Target’s POS machines"
  6. ^ "Malware Behind Target Credit Card Thefts Identified"
  7. ^ a b "A First Look at the Target Intrusion, Malware — Krebs on Security". Retrieved 2016-11-05.
  8. ^ Kumar, Mohit. "23-Year-old Russian Hacker confessed to be original author of BlackPOS Malware". The Hacker News. Retrieved 2016-11-05.
  9. ^ "KAPTOXA Point-of-Sale Compromise". Retrieved 2016-11-05.
  10. ^ a b "Researchers find new point-of-sale malware called BlackPOS". PCWorld. Retrieved 2016-11-05.
  11. ^ a b c d Sun, Bowen. "A Survey of Point-of-Sale (POS) Malware". Retrieved 2016-11-05.
  12. ^ Marshalek, Marion; Kimayong, Paul; Gong, Fengmin. "POS Malware Revisited" (PDF). Retrieved 2016-10-28.
  13. ^ a b "New BlackPOS Malware Emerges in the Wild, Targets Retail Accounts - TrendLabs Security Intelligence Blog". TrendLabs Security Intelligence Blog. 2014-08-29. Retrieved 2016-11-05.
  14. ^ "An evolution of BlackPOS malware". Hewlett Packard Enterprise Community. 2014-01-31. Retrieved 2016-11-05.
  15. ^ Matlack, Michael Riley MichaelRileyDC Benjamin Elgin Dune Lawrence DuneLawrence Carol (2014-03-17). "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It". Retrieved 2016-11-05.
  16. ^ "Neiman Marcus data breach said to have started in July and not been fully contained until Sunday | Business | Dallas News". Dallas News. 2014-01-16. Retrieved 2016-11-05.
  17. ^ Perlroth, Elizabeth A. Harris, Nicole; Popper, Nathaniel (2014-01-23). "Neiman Marcus Data Breach Worse Than First Said". The New York Times. ISSN 0362-4331. Retrieved 2016-11-05.
  18. ^ a b "Backoff and BlackPOS Malware Breach Retailers Point of Sale Systems". Retrieved 2016-11-05.
  19. ^ "Exclusive: More well-known U.S. retailers victims of cyber attacks - sources". Reuters. 2017-01-12. Retrieved 2016-11-05.
  20. ^ a b c "The POS Malware Epidemic: The Most Dangerous Vulnerabilities and Malware". Security Intelligence. 2015-06-19. Retrieved 2016-11-05.