Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Essential Retail Magazine, you agree to our use of cookies.

Okay, I understand Learn more

New Point of Sale malware detected

A new variant of Point of Sale (PoS) malware which has been named 'UDPoS' has been detected by researchers from Forcepoint.

Disguised as a LogMeIn service pack, which generated notable amounts of 'unusual' DNS requests, deeper investigation revealed that this is ultimately designed to steal magnetic stripe payment card data.

“At the time of writing, it's unclear whether the malware is currently being used in campaigns in the wild, although the coordinated use of LogMeIn-themed filenames and C2 URLs, coupled with evidence of an earlier Intel-themed variant, suggest that it may well be,” Forcepoint researchers said.

PoS malware families have the same goal: to harvest credit card data on a large scale.

In terms of the development of the malware, Forcepoint described this as “hardly outstanding” as trails were left by using data files written to disk instead of working predominantly in memory, while DNS-based communication and data exfiltration is genuinely unusual, and can be quite effective.

Researchers said: “The overall impression is of a piece of malware inspired by the success of (and some of the better ideas and techniques employed by) its predecessors.” 

Forcepoint claimed that a PoS terminal could conceivably remain infected for significant lengths of time and for many businesses, as legacy PoS systems are often based on variations of the Windows XP kernel and in large retailers, may be present on hundreds or even thousands of devices.

While Windows POSReady is in extended support until January 2019, it is still fundamentally an operating system which is seventeen years old.

LogMeIn contacted Essential Retail with the following statement: “This link, file or executable is not provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You will never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update."