Understanding POS Malware: How It Affects Retailers and How to Protect Your Business

Antonio Gabriel Tongco

Point of sale (POS) systems play a crucial role in facilitating payments and transactions between businesses and consumers, enhancing both convenience and efficiency in business operations. Modern POS systems even allow stores to accept various payment methods such as cash, debit or credit cards, or e-wallets to streamline the checkout process.

As beneficial as POS systems may be for retailers, however, jits inherent nature as a piece of technology makes it susceptible to cyber attacks such as malware, which can threaten the security of both merchants and customers alike. In this article, we will take a look at what POS malware is, how it can affect businesses, and how businesses can protect themselves against it.

What is POS Malware?

POS malware is software that is created to steal customers’ data from magnetic strips or chips of electronic payment cards such as debit cards, credit cards during transactions. Usually, the cybercriminals behind POS malware intend to resell customer data, rather than use it for their own; it does not, however, cross off other possibilities such as fraudulent transactions and identity theft. POS malware targets a compromised or insecure POS system by exploiting its vulnerabilities such as weak passwords or inadequate security measures, or by using social engineering techniques

While payment card data is encrypted end-to-end, it is temporarily decrypted from the POS’ random-access memory (RAM) while a payment is being processed. This is the time when the malware attacks by scraping the data from the RAM and writing it to a text file, and either sends it to an off-site server at a later date or retrieves it remotely. While POS malware can be sent out via infected networks or USB devices that are connected to the POS system, it can also be distributed through email or other web-based means.

While POS malware may not be as sophisticated as other forms of malware, it can still have a massive effect on both customers and merchants; harming a company’s data integrity and finances as well as its reputation in the process. Despite POS malware’s extremely straightforward approach, its impacts on retailers so far have been massive.

The Impact of POS Malware on Retailers

RAM scraping malware has targeted not just retail businesses, but any business that processes large volumes of payment cards (e.g., leisure and hospitality, banking and insurance, etc.). Even big companies can fall victim to this form of cybercrime. In 2008, Visa issued the first documented RAM scraping attack when their security staff discovered that hackers had gained access to POS terminals that process transactions using Visa’s cards. Fast forward to 2013, Target experienced a massive data breach due to a POS malware attack, affecting payments, transactions, and other personally identifiable data of an estimated 110 million customers, almost a third of the United States population. As a result, they lost 40 million payment card numbers shortly before the holiday shopping season. The settlement for the case was over $18 million, but the estimated losses from the loss of consumer trust were nearly $300 million. The following year was considered by industry experts as the “Year of the Largest Retail Hacks” because of POS malware, affecting other companies like Home Depot and Kmart

Statista reported that there were 2.8 billion malware attacks worldwide in the first half of 2022 and 5.4 billion in 2021. The highest number of malware attacks detected in recent years was back in 2018, with 10.5 billion attacks reported worldwide. The size of the business doesn’t matter, anyone can still be a victim of this cyberthreat; landing them in trouble, namely, loss of customer trust, brand and reputation damage, and eventually decline in market value and at the worst case, in court for litigation claims. Although POS malware is certainly a much bigger concern for retailers compared to consumers, consumers should be on the lookout for how they can protect their bank accounts as they can experience financial losses, damaged credit standing, and fraud.

Understanding the potential dangers POS malware presents to both your business and customers is crucial. Recognizing how such an attack can unfold is the first step towards preparedness. After all, being well-prepared is essential for safeguarding your operations and the trust of your clientele.

Someone holding a card. Image by Pixabay on Pexels.

How POS Malware Infects Systems

Generally speaking, there are two ways that POS malware can be installed in POS systems that are capable of reading card data. One is the possibility of an inside job, which could mean that a business employee who knows how the payment processing is set up can go and install the malware on the POS system. Data scraped by variants that are not connected to a network are retrieved or accessed remotely. 

The second is through social engineering or phishing lures. This method often comes with files with misleading names. They are known to be highly customized to blend in with files associated with the targeted business. Once the malware is installed, the affected systems are connected to a POS botnet that reports back to a centralized command-and-control (C&C) server.

Usually, a POS malware would go through the following steps:

  1. Access: The cybercriminal gains access to the POS system through social engineering, phishing, faulty configuration, or exploitable hardware.
  2. Installation: The malware is installed in the system which is disguised or hidden inside a legitimate process, like an update.
  3. Data theft: The malware logs data like payment information, customer details, or employee login information.
  4. Data transfer: The stolen data is moved to a server owned by the attacker. Other methods include real-time transfer over Bluetooth in the case of keyloggers.
  5. Hiding the evidence: Advanced malware can initiate a sweeping process to hide traces of tampering, like deleting logs or reverting system settings. As a result, attacks can remain undetected for a certain period or never be detected at all.

Types of POS Malware

POS malware comes in different types that make use of different methods or devices to steal data.

  • Keyloggers: Keyloggers are among the older types of malware. It records every keystroke on the system. This means if the customer’s information is manually typed on the terminal, the information is also sent to the attacker. 
  • Memory Dumpers: Short-term memory is used by POS systems to briefly store transaction data in the event of a refund or voided purchase. Memory dumpers target data packets before the data is encrypted and gain plaintext versions of sensitive information.
  • Network Sniffers: Also called packet analyzers, network sniffers intercept data as it is transferred across networks instead of stealing it from the POS system. The attacker focuses on the intersection between the terminal and the payment processing server; this gives the cybercriminal an insight into exactly where to look and covertly access the information before having it continue to the intended designation. As a result, network sniffers can be pretty difficult to detect.
  • RAM Scrapers: As mentioned earlier, RAM scrapers use data stored in the RAM to gather information.
  • Credit Card Skimmers: These are physical devices that are connected to a POS terminal to gather credit card data as it is swiped through the machine. They can be connected via Bluetooth or Wi-Fi.
  • End-to-End Encryption Malware: Used to extract confidential information from the encrypted data while it is being transferred.
  • Backdoors: Allow attackers to remotely access and control the system to install or remove malware, launch additional attacks, or access confidential data.

POS malware also comes in different families, each with their own set of capabilities.

  • BlackPOS: Designed for Windows-running computers that are part of a POS system and used to steal credit card information. It cannot perform offline data extraction and stolen data is uploaded to remote servers online, allowing more flexibility for attackers.
  • MalumPOS: A customizable malware that can hide itself as a display driver on the infected system where it monitors active programs and searches the system’s memory for payment details.
  • PoSeidon: Installs a keylogger to the system and transfers data to a remote server.
  • TreasureHunt: Custom-built by a hacker group selling stolen credit card data and exploits stolen or weak credentials to install itself on the infected system and targets businesses that still use older swipe systems. Credit card information is extracted from the device’s memory and is sent to the C&C server.
  • NitlovePOS: Collects track-one and track-two payment card data by scanning active processes of an infected system. SSL is used to send the stolen data to a web server. It also uses spam emails to trick users into downloading the malware. It isn’t visible immediately as it copies itself to disk and is restored if someone tries to delete it.

The first step in protecting your business from POS malware is being aware of how an attack can occur, what they are capable of, and the different types that they come in. The next step is to come up with different strategies in order to ensure that your business would be safe from these threats.

Prevention and Mitigation Strategies

One of the first things that you should do to prevent malware attacks is to assess the possible vulnerabilities that may be present in your system such as out-of-date software, weak passwords, and poorly configured networks. Keep your software updated as they can provide patches that address security issues for the system. Secure the network connection that is being used by your POS as poorly configured networks can easily be accessed by hackers. Avoiding connecting to external networks and creating strong passwords would also help protect you and your business from attacks.

You may also consider investing in secure and tamper-resistant hardware as they can give you an indication if something has gone wrong. Developing a strong security policy is important to keep your POS system protected from possible attackers. Consider establishing a two-factor authentication, access controls, and log-off protocols for your login systems. Setting this standard for your workers in addition to educating them can already go a long way. In addition, review logs regularly and be on the lookout for any unusual behavior, and quickly take necessary actions when you notice something off. You should also configure your infrastructure in a way that the POS system is appropriately isolated to keep it out of contact with other networks, which will give you time to identify the attack and keep it from spreading to more sensitive areas.

These are some of the foundational steps in ensuring that your business is secured, but you may take it a couple of steps further by implementing more advanced security measures.

A woman swiping her card. Image by MART PRODUCTION on Pexels.

Advanced Security Measures

Installing reliable anti-malware and anti-phishing software and keeping it regularly updated will not only scan the files in your system but also help detect and prevent phishing emails respectively.

A POS system is a form of endpoint, or a device that is connected to systems and infrastructure to do work; thus, endpoint protection (EPP) solutions will help detect and block endpoint device-level threats. It usually combines antivirus capabilities with firewalls, anti-malware, virtual private network (VPN) data encryption, and data loss prevention (DLP). It also tracks users who had accessed data and what changes were made within the system. It is highly cost-effective on a per-device and per-month basis. 

Making use of end-to-end encryption will ensure that customer data won’t be exposed to attackers. Another measure to consider is to use whitelisting technology that can prevent unauthorized processes from running in POS systems as they only allow pre-approved applications to run on the POS. And lastly, using code signing can also check in with programs before running; it is a cryptographic value signed to a specific binary executable to verify programs to assess if any tampering was made. 

While your business’ system may be secured and ready to take on these threats, it is still important to know what to do if your system gets compromised.

Responding to a POS Malware Infection

The first step is to disconnect from the network to contain the infection. You must then log which of your systems have been infected and which have not. After this, the infected systems must then be isolated to be cleaned by an anti-malware solution. You must then identify the cause of the infection and how much it has affected operations. It’s also a good idea to inform anyone who was involved, including your customers. Make sure to document any relevant evidence. Finally, review what can be done to improve your system and security to prevent an incident from happening again.


POS malware is a threat that continues to impact retailers around the world. Having an awareness of POS malware and its capabilities can equip retailers on what to look out for, and what steps can be taken to prevent and combat these cyber-attacks. This will not only be beneficial for your business but also to your customers as you provide your services for them. Security will help establish your relationship with consumers and gain their trust.

Read More Articles

Tested and Trusted for more than 20 years

Connect with us!

Let's work together to make your business the best it can be.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.