New Strain of Malware Steals Credit Card Info from Local Businesses

gamapos malware

The latest strain of malicious software targets everything from pet stores and movie theaters to restaurants and credit unions. Called GamaPOS, the malware already affects 13 US states and Vancouver, according to Trend Micro.

A point-of-sale (POS) device is a piece of equipment — a Windows computer, in this case — used at checkout for transactions at retail businesses. Once a point-of-sale computer is infected with GamaPOS, the malware locates customer credit card data from each sale. That data is sent to hackers, who in turn sell it on the black market.

GamaPOS spreads via the Andromeda botnet, one of the biggest online networks for distributing malware. Andromeda has recently resurfaced as a popular botnet targeting North America.

Hackers send out emails offering to help businesses comply with credit card payment standards and update their point-of-sales software (Oracle MICROS, in this instance). When the dirty email attachment is opened, Andromeda injects itself into other Windows processes and deletes its original self to cover its tracks.

Judging by how many digits make up a credit card number, GamaPOS specifically looks for Visa (12), Discover (12 or 14), and Maestro cards (14).

Dynamite fishing

Andromeda is extremely modular, meaning it can be used to distribute and run a variety of malware on hijacked computers. This malware includes keyloggers, form grabbers, proxy modules, and rootkits. Because Andromeda is so widespread across all kinds of personal computers, GamaPOS bets on the probability that at least a few of them will be point-of-sale PCs. This is called a “dynamite fishing” or “shotgun” approach.

GamaPOS is far from the first malware to target POS systems (see our previous blog posts on Punkey and LusyPOS), but it is the first to be coded with Microsoft’s .NET framework, according to Trend Micro. That means it’s specifically designed for Windows computers and can scrape a variety of applications written in different languages. Because Microsoft recently made .NET an open source platform, more developers are using it in their apps.

Protect your business

In the US, POS systems are a prime target for cyber criminals. A study by security firm Trustwave showed that hackings at POS locations accounted for over half the data breaches in North America. The same sort of attack only made up 10 to 11 percent of breaches in the rest of the world. The discrepancy is due to America’s continued reliance on magnetic strip cards, whereas the rest of the world’s credit card-owning population favors EMV cards. EMV ties embedded smart chips to efficient anti-fraud controls.

Of all the POS systems infected with Andromeda, Trend Micro estimates less than 4 percent have contracted GamaPOS. Businesses at risk should make a point to sweep their systems and install update patches as soon as possible, or else face the possibility of compromising customers’ credit card information. Educating staff on safe email practices will also help guard against POS malware.


Featured image: Petr Kratochvil / Public Domain