Security Experts:

Connect with us

Hi, what are you looking for?



RawPOS Malware Steals Driver’s License Information

The RawPOS Point-of-Sale (PoS) RAM scraper malware was recently observed stealing driver’s license information from victims, Trend Micro has discovered.

The RawPOS Point-of-Sale (PoS) RAM scraper malware was recently observed stealing driver’s license information from victims, Trend Micro has discovered.

RawPOS is one of the oldest PoS malware families out there, with patterns matching its activity dating as far back as 2008. Over time, the actors behind it have focused mainly on the hospitality industry, and have been using the same malware components and tools for lateral movement.

These actors have since started gathering additional information from the compromised systems, which put victims at greater risk of identity theft, researchers warn. The driver’s license information stolen by the malware can be used by cybercriminals in their malicious activities.

RawPOS, Trend Micro explains, attempts to gather both credit card mag stripe data and other types of valuable information in a single sweep, while modifying the regex string to capture the needed data. The malware scans processes to find “track data”-like strings in memory. It then dumps process memory for a file scraper to organize the data.

The threat used almost the same pattern matching for the first eight years, but changed it in 2016 to start looking for “drivers” and “license” strings, as well as for an “ANSI 636” string. This is a mandatory PDF417 bar code to aid in “identity and age verification, automation of administrative processing, and address verification,” as defined in the 2013 North American AAMVA DL/ID Card Design Standard.

Because the numbers “636” are the initial digits of the Issuer Identification Number (IIN) for most US states, the security researchers concluded that the actors were interested in driver’s license information within the US.

“The Information stored in each license varies per state, but the bar code mostly contains the same information present in each individual driver’s license or state ID – specifically: full name, date of birth, full address, gender, height, even hair and eye color,” Trend Micro says.

The use of this barcode isn’t unheard of, albeit it is less common than credit card swipes, the security researchers explain. The driver’s license barcode could get scanned in pharmacies, retail shops, bars, casinos and others establishments that require it.

The use of personal information next to the stolen credit card details provides threat actors with a more “authentic” identity, while also allowing them to complete a transaction even if they don’t have the physical card.

“Aside from this, the driver’s license bar code swipe of the victims can also be used for other kinds of misrepresentation, such as identity theft. In any case, stolen Personal Identity Information (PII) will always be a serious issue that can lead to dire consequences for its victims,” the security researchers explain.

Related: PoS Malware Activity Spiked on Thanksgiving: Report

Related: Cybercriminals Use RawPOS Malware to Target Hotels, Casinos

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.