Connect with us

Hi, what are you looking for?



Inside the Point-of-Sale Malware Threat

Point-of-sale malware has been at the center of numerous high-profile breaches this year. Many of those attacks have involved three pieces of malware – BlackPOS, FrameworkPOS and Backoff.

Point-of-sale malware has been at the center of numerous high-profile breaches this year. Many of those attacks have involved three pieces of malware – BlackPOS, FrameworkPOS and Backoff.

In a new report, researchers at security firm Cyphort have peeled the layers back from each of these cyber-weapons, which have been linked to attacks on businesses ranging from Target to Home Depot to UPS.

Cyphort co-founder Fengmin Gong believes point-of-sale (PoS) malware has been so impactful this year for three main reasons: retailers have been slow to shore up their defenses; Backoff and its derivatives were quickly adopted by cyber-criminals; and publicity about retail breaches has called attention to the effectiveness of PoS malware.

“There definitely is growing awareness [of PoS malware], pressure from compliance, reputation, threatened law suit, and probably more importantly, top executives losing their jobs,” he said. “However, the gap is the practical know-how that prevents them from implementing effective protection.”

Recently, security firm Damballa noted that detections of the Backoff malware jumped 57 percent from August to September. During the month of September alone, Backoff infections increased 27 percent.

Among the breaches tied to Backoff is the attack on UPS, according to the Cyphort report. In the report, the firm notes that unlike BlackPOS and FrameworkPOS, Backoff is not oriented toward specific victims. Instead, it is built to operate on random PoS machines, listens to a command and control server and is independent of the retailer’s local infrastructure.

“Backoff is the most sophisticated…mainly because it’s designed to attack a broad spectrum of POS systems, it’s designed with all the modern malware armoring techniques, from protection layers to frustrate static analyses to the behavior armoring to evade simple sandboxing,” Gong said. “Since our blog on September 19 and the special report, we have seen more reports, e.g. from both US Secret Service Alerts and Fortinet blog on November 3, pointing to Backoff infections. It appears that Backoff is either sold or shared through a form of SDK (software development kit) by multiple groups. Newer advanced versions are being produced and deployed in new campaigns.”

FramworkPOS and BlackPOS, on the other hand, are like off-the-shelf software and are tailored specifically for dedicated targets, the report explains.

Advertisement. Scroll to continue reading.

“They are most likely not from the same authors but FrameworkPOS leaves the strong impression of a copycat attack after former POS malware incidents,” according to the report. “Basic principles and ideas are identical, as of creating a service, scanning chunks of memory, pushing data to a local SMB server and hiding the data in a fake binary file in system root. Still, the implementation methods look very different. FrameworkPOS is very linear, no multi-threading is performed and the data exfiltration is controlled by time intervals rather than coordinated by two threads. Also, FrameworkPOS scans multiple processes, while BlackPOS limits itself to the pos.exe process of the infected POS device. Interestingly, all three families show slightly different memory scraping methods.”

Cyphort recommends retailers take a number of steps to improve PoS security, including eliminating unnecessary system capabilities to limit a potential intruder and designing a security baseline that accounts for the complete attack lifecycle hackers have to fulfill to infect a system.

The full report is available online in PDF format.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.