{
	"id": "935bcf6e-6b2f-4e97-a84e-9889e89b8468",
	"created_at": "2026-04-06T00:18:01.937423Z",
	"updated_at": "2026-04-10T03:21:14.063461Z",
	"deleted_at": null,
	"sha1_hash": "aefe5aa067b7aad21bdcdb2494604fefd1d952b6",
	"title": "Malware Targeting Point of Sale Systems | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55538,
	"plain_text": "Malware Targeting Point of Sale Systems | CISA\r\nPublished: 2016-10-06 · Archived: 2026-04-05 17:14:38 UTC\r\nSystems Affected\r\nPoint of Sale Systems\r\nOverview\r\nPoint of Sale Systems\r\nWhen consumers purchase goods or services from a retailer, the transaction is processed through what are\r\ncommonly referred to as Point of Sale (POS) systems. POS systems consist of the hardware (e.g. the equipment\r\nused to swipe a credit or debit card and the computer or mobile device attached to it) as well as the software that\r\ntells the hardware what to do with the information it captures.\r\nWhen consumers use a credit or debit card at a POS system, the information stored on the magnetic stripe of the\r\ncard is collected and processed by the attached computer or device. The data stored on the magnetic stripe is\r\nreferred to as Track 1 and Track 2 data. Track 1 data is information associated with the actual account; it includes\r\nitems such as the cardholder’s name as well as the account number. Track 2 data contains information such as the\r\ncredit card number and expiration date.\r\nPOS Targeting\r\nFor quite some time, cyber criminals have been targeting consumer data entered in POS systems. In some\r\ncircumstances, criminals attach a physical device to the POS system to collect card data, which is referred to as\r\nskimming. In other cases, cyber criminals deliver malware which acquires card data as it passes through a POS\r\nsystem, eventually exfiltrating the desired data back to the criminal. Once the cybercriminal receives the data, it is\r\noften trafficked to other suspects who use the data to create fraudulent credit and debit cards.\r\nAs POS systems are connected to computers or devices, they are also often enabled to access the internet and\r\nemail services. Therefore malicious links or attachments in emails as well as malicious websites can be accessed\r\nand malware may subsequently be downloaded by an end user of a POS system. The return on investment is much\r\nhigher for a criminal to infect one POS system that will yield card data from multiple consumers.\r\nImpact\r\nThere are several types of POS malware in use, many of which use a memory scraping technique to locate specific\r\ncard data. Dexter, for example, parses memory dumps of specific POS software related processes looking for\r\nTrack 1 and Track 2 data. Stardust, a variant of Dexter not only extracts the same track data from system memory,\r\nit also extracts the same type of information from internal network traffic. Researchers surmise that Dexter and\r\nsome of its variants could be delivered to the POS systems via phishing emails or the malicious actors could be\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-002A\r\nPage 1 of 3\n\ntaking advantage of default credentials to access the systems remotely, both of which are common infection\r\nvectors. Network and host based vulnerabilities, such as weak credentials accessible over Remote Desktop, open\r\nwireless networks that include a POS machine and physical access (unauthorized or misuse) are all also candidates\r\nfor infection.\r\nSolution\r\nPOS System Owner Best Practices\r\nOwners and operators of POS systems should follow best practices to increase the security of POS systems and\r\nprevent unauthorized access.\r\nUse Strong Passwords: During the installation of POS systems, installers often use the default passwords\r\nfor simplicity on initial setup. Unfortunately, the default passwords can be easily obtained online by\r\ncybercriminals. It is highly recommended that business owners change passwords to their POS systems on\r\na regular basis, using unique account names and complex passwords.\r\nUpdate POS Software Applications: Ensure that POS software applications are using the latest updated\r\nsoftware applications and software application patches. POS systems, in the same way as computers, are\r\nvulnerable to malware attacks when required updates are not downloaded and installed on a timely basis.\r\nInstall a Firewall: Firewalls should be utilized to protect POS systems from outside attacks. A firewall can\r\nprevent unauthorized access to, or from, a private network by screening out traffic from hackers, viruses,\r\nworms, or other types of malware specifically designed to compromise a POS system.\r\nUse Antivirus: Antivirus programs work to recognize software that fits its current definition of being\r\nmalicious and attempts to restrict that malware’s access to the systems. It is important to continually update\r\nthe antivirus programs for them to be effective on a POS network.\r\nRestrict Access to Internet: Restrict access to POS system computers or terminals to prevent users from\r\naccidentally exposing the POS system to security threats existing on the internet. POS systems should only\r\nbe utilized online to conduct POS related activities and not for general internet use.\r\nDisallow Remote Access: Remote access allows a user to log into a system as an authorized user without\r\nbeing physically present. Cyber Criminals can exploit remote access configurations on POS systems to\r\ngain access to these networks. To prevent unauthorized access, it is important to disallow remote access to\r\nthe POS network at all times.\r\nConsumer Remediation\r\nFraudulent charges to a credit card can often be remediated quickly by the issuing financial institution with little to\r\nno impact on the consumer. However, unauthorized withdrawals from a debit card (which is tied to a checking\r\naccount) could have a cascading impact to include bounced checks and late-payment fees.\r\nConsumers should routinely change debit card PINs. Contact or visit your financial institutions website to learn\r\nmore about available fraud liability protection programs for your debit and credit card accounts. Some institutions\r\noffer debit card protections similar to or the same as credit card protections.\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-002A\r\nPage 2 of 3\n\nIf consumers have a reason to believe their credit or debit card information has been compromised, several\r\ncautionary steps to protect funds and prevent identity theft include changing online passwords and PINs used at\r\nATMs and POS systems; requesting a replacement card; monitoring account activity closely; and placing a\r\nsecurity freeze on all three national credit reports (Equifax, Experian and TransUnion). A freeze will block access\r\nto your credit file by lenders you do not already do business with. Under federal law, consumers are also entitled\r\nto one free copy of their credit report every twelve months through AnnualCreditReport.com.\r\nConsumers may also contact the Federal Trade Commission (FTC) at (877) 438-4338 or via their website at\r\nwww.consumer.gov/idtheft or law enforcement to report incidents of identity theft.\r\nReferences\r\nAll About Skimmers\r\nA look at Point of Sale RAM scraper malware and how it works\r\nA message from CEO Gregg Steinhafel about Target’s payment card issues\r\nDexter and Project Hook Break the Bank (PDF)\r\nVSkimmer trojan steals card data on point-of-sale systems\r\nDexter – Draining blood out of Point of Sales\r\nPoint-of-sale malware infections on the rise, researchers warn\r\nNew Dexter Point-of-Sale Malware Campaigns Discovered\r\nHappy Holidays: Point of Sale Malware Campaigns Targeting Credit and Debit Cards\r\nProtect your identity from Target security breach\r\nRevisions\r\nJanuary 2, 2014 - Initial Release\r\nSource: https://www.us-cert.gov/ncas/alerts/TA14-002A\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-002A\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.us-cert.gov/ncas/alerts/TA14-002A"
	],
	"report_names": [
		"TA14-002A"
	],
	"threat_actors": [],
	"ts_created_at": 1775434681,
	"ts_updated_at": 1775791274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aefe5aa067b7aad21bdcdb2494604fefd1d952b6.pdf",
		"text": "https://archive.orkl.eu/aefe5aa067b7aad21bdcdb2494604fefd1d952b6.txt",
		"img": "https://archive.orkl.eu/aefe5aa067b7aad21bdcdb2494604fefd1d952b6.jpg"
	}
}