{
	"id": "99511739-337e-4a54-b333-315668219e97",
	"created_at": "2026-04-06T00:12:01.353675Z",
	"updated_at": "2026-04-10T03:20:57.512736Z",
	"deleted_at": null,
	"sha1_hash": "caf86363f702fd3e15edd21453dfbefed3731354",
	"title": "Points of Sale Poorly Secured, Facing Sophisticated Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62719,
	"plain_text": "Points of Sale Poorly Secured, Facing Sophisticated Attacks\r\nBy Brian Donohue\r\nPublished: 2014-05-12 · Archived: 2026-04-05 18:06:45 UTC\r\nAs the sophistication and deployment of PoS malware increases, organizations struggle to defend against even\r\nsimple attacks.\r\nThe point-of-sale (PoS) systems on which financial transactions are conducted at nearly every physical retail\r\nlocation in the U.S. and and beyond are fast becoming a favorite target for sophisticated criminal organizations as\r\nwell as standalone attackers.\r\nThe emergence of this trend is unsurprising given that a compromised PoS terminal could potentially yield all\r\npertinent payment information about any credit or debit card processed in a transaction on that machine –\r\nincluding track one and two payment data as well as card numbers, expiration dates, security codes, and the names\r\nof the people they belong to. The problem is exacerbated – according to a PoS malware analysis published by\r\nArbor Networks – in two ways: the maintainers of PoS systems are doing a poor job of protecting such systems\r\nagainst older and well-known attacks as criminals continue to create more sophisticated tools.\r\nPoS attack campaigns, the researchers claim, have evolved from opportunistic attacks relying on simple card data\r\ntheft to memory scraping PoS botnets with centralized command and control (C\u0026C) infrastructures. The most\r\nsophisticated attacks are highly targeted, deploying hard-to-detect, customized malware, and reportedly requiring\r\nsubstantial lateral movement within a compromised network.\r\n“Organizations of all sizes are encouraged to seriously consider a significant security review of any PoS\r\ndeployment infrastructure to detect existing compromises as well as to strengthen defenses against an adversary\r\nthat continues to proliferate and expand attack capabilities,” wrote Curt Wilson, a senior research analyst at Arbor\r\nNetworks.\r\nAnother significant problem, according to the report, is that once an organization’s PoS systems are compromised,\r\nthe attacker tends to maintain a presence on those networks for a long time, even within organizations with mature\r\nsecurity postures.\r\n“The longevity and extent of attack campaigns is a serious concern. In organizations with security teams and well\r\nmanaged network infrastructure, point of sale compromises have proliferated for months prior to detection. If\r\nattackers are able to launch long-running campaigns in such enterprise retail environments, one can conclude that\r\nmany other organizations with less mature network and infrastructure management are also at serious risk.”\r\nhttps://threatpost.com/points-of-sale-poorly-secured-facing-sophisticated-attacks/106027/\r\nPage 1 of 3\n\nPoint of Sale Breaches\r\nThe full scope of the problem is perhaps best illustrated by Verizon’s renowned Data Breach Investigation Report,\r\nwhich examined 198 distinct PoS intrusions in 2014 alone, the report claims.\r\nGenerally speaking, Arbor Networks has observed a substantial increase in the level of interest in PoS-related\r\nthreats, both in closed and public forums. Interestingly, all of their observations regarding this increased interest\r\ncame before the Target breach became public knowledge.\r\nSpecifically, in its report, Arbor Networks examines the Alina, BlackPos, Chewbacca, vSkimmer, JackPos, and\r\nPoSCardStealer malware, as well as a new PoS Attackers Toolkit. You can find the MD5 hashes associated with\r\nthe command and control domains and files within each of these samples in the Arbor Networks report [pdf].\r\nThe Alina malware was developed in March 2012, with the most recent development taking place in February .\r\nAlina’s command and control domains suggest that it may be a precursor to JackPoS.\r\nBlackPoS is likely the most talked-about piece of PoS malware this year due to its affiliation with the much\r\ndiscussed target breach. Older versions, observed with compilation dates as far back as 2010 were simply console\r\nbased, which required the attackers to maintain backdoor access to the target in order to retrieve the stolen card\r\ndata. Newer versions use HTTP and FTP to exfiltrate data. The evolution of BlackPoS seems to mirror the more\r\nbroad evolution of PoS threats.\r\nThe researchers point out that during the Target breach, the PoS malware was observed exfiltrating data to other\r\ninternal systems before moving that data off the network to external systems. The researchers believe this staging\r\noccurred because the PoS systems could not exfiltrate directly to the Internet.\r\nChewbacca is another oft-discussed PoS malware toolkit – likely due to its use of the Tor network for its C\u0026C\r\ninfrastructure. vSkimmer too has been the focus of significant past research after its code likely leaked on\r\nunderground forums in 2013. Arbor Networks doesn’t spend a ton of time analyzing vSkimmer other than pointing\r\nout that it has the capability to perform memory scraping with exfiltration to a Command \u0026 Control point or to a\r\nUSB drive and that it is easy to detect.\r\nhttps://threatpost.com/points-of-sale-poorly-secured-facing-sophisticated-attacks/106027/\r\nPage 2 of 3\n\nArbor Networks expresses more interest in JackPoS, which they believe was developed from at least October\r\n2013 with the most recent development on March 5, 2014. They have observed at least 33 distinct samples.\r\nSeparate research suggests that a threat actor operating under the handle Rome0 – known to be implicated with the\r\nDexter and Project Hook PoS malware and a laundry list of other underground activity– is also associated with\r\nthis malware.\r\nUpon infection, JackPoS attempts to spread itself other systems via Windows networking. According to the\r\nresearch, it displays a text reading, “Hacking of the network started” and then looks for the presence of a domain\r\ncontroller.\r\n“This is of course foolish design for any type of malware since no sane user would press any key in response to\r\nsuch a blatant “Hacking” message,” the Arbor researchers reason. “Because of this, it is possible that this was test\r\ncode, proof of concept, written for a limited deployment such as an environment where the attacker has physical\r\naccess, or was some type of demonstration code that leaked into the wild.”\r\nThe research also looks at a PoS attackers toolkit that first emerged in March 2014. This toolkit, the researchers\r\nclaim, provides strong evidence that no zero-days are required to compromise PoS terminals. Different versions of\r\nthe kit rely simply on brute-force password attacks. Arbor notes that despite this being an old technique, there\r\nhave been at least ten variations of this attack kit submitted to VirusTotal in the last 10 months.\r\nOn a more sophisticated level, the toolkit also makes use of a modified version of a legitimate auditing tool called\r\nCard Recon, which is designed to find credit card data across a wide variety of systems.\r\n“Card Recon looks to be a useful tool when wielded by an auditor or security staff, but is clearly dangerous in the\r\nwrong hands,” the researchers wrote. “The presence of an audit tool like Card Recon where it is not expected is a\r\nclear sign of trouble, as it shows that attackers are after card data anywhere that it can be found.”\r\nSource: https://threatpost.com/points-of-sale-poorly-secured-facing-sophisticated-attacks/106027/\r\nhttps://threatpost.com/points-of-sale-poorly-secured-facing-sophisticated-attacks/106027/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://threatpost.com/points-of-sale-poorly-secured-facing-sophisticated-attacks/106027/"
	],
	"report_names": [
		"106027"
	],
	"threat_actors": [],
	"ts_created_at": 1775434321,
	"ts_updated_at": 1775791257,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/caf86363f702fd3e15edd21453dfbefed3731354.pdf",
		"text": "https://archive.orkl.eu/caf86363f702fd3e15edd21453dfbefed3731354.txt",
		"img": "https://archive.orkl.eu/caf86363f702fd3e15edd21453dfbefed3731354.jpg"
	}
}