The RawPOS Point-of-Sale (PoS) RAM scraper malware was recently observed stealing driver’s license information from victims, Trend Micro has discovered.
RawPOS is one of the oldest PoS malware families out there, with patterns matching its activity dating as far back as 2008. Over time, the actors behind it have focused mainly on the hospitality industry, and have been using the same malware components and tools for lateral movement.
These actors have since started gathering additional information from the compromised systems, which put victims at greater risk of identity theft, researchers warn. The driver’s license information stolen by the malware can be used by cybercriminals in their malicious activities.
RawPOS, Trend Micro explains, attempts to gather both credit card mag stripe data and other types of valuable information in a single sweep, while modifying the regex string to capture the needed data. The malware scans processes to find “track data”-like strings in memory. It then dumps process memory for a file scraper to organize the data.
The threat used almost the same pattern matching for the first eight years, but changed it in 2016 to start looking for “drivers” and “license” strings, as well as for an “ANSI 636” string. This is a mandatory PDF417 bar code to aid in “identity and age verification, automation of administrative processing, and address verification,” as defined in the 2013 North American AAMVA DL/ID Card Design Standard.
Because the numbers “636” are the initial digits of the Issuer Identification Number (IIN) for most US states, the security researchers concluded that the actors were interested in driver’s license information within the US.
“The Information stored in each license varies per state, but the bar code mostly contains the same information present in each individual driver’s license or state ID – specifically: full name, date of birth, full address, gender, height, even hair and eye color,” Trend Micro says.
The use of this barcode isn’t unheard of, albeit it is less common than credit card swipes, the security researchers explain. The driver’s license barcode could get scanned in pharmacies, retail shops, bars, casinos and others establishments that require it.
The use of personal information next to the stolen credit card details provides threat actors with a more “authentic” identity, while also allowing them to complete a transaction even if they don’t have the physical card.
“Aside from this, the driver’s license bar code swipe of the victims can also be used for other kinds of misrepresentation, such as identity theft. In any case, stolen Personal Identity Information (PII) will always be a serious issue that can lead to dire consequences for its victims,” the security researchers explain.