RawPOS Malware Harvests Driver’s License Data

The RawPOS malware has recently been updated to harvest driver’s license data from victims, this is one of the oldest point of sale viruses.

RawPOS Malware Updated With Dangerous New Features

The RawPOS malware family is one of the oldest collection of viruses that target point-of-sale systems. Some of their early strains date back from 2008 when large-scale attack campaigns were deployed. Over time the criminal operators changed their focus on the hospitality industry where the devices are used in all areas of the provided services. As the hackers released further updates over the years the malware specialists discovered that the malware started to gather more and more data from the victims. Account theft and abuse is the most obvious reason. In the latest iteration of the RawPOS malware it was discovered that the virus now steals driver’s license data as well.

In the spring of 2015 several large-scale attacks against the hospitality industry were attributed to the RawPOS malware. Some of the identified victims were hotels, resorts and casinos located in the United States and Canada.

The hackers behind the virus have added several new fields which are attributed to the ANSI 636 standard that governs the ID card designs in the USA. As the cards are made in a machine-readable form they can easily be extracted if they are swiped through a reader. If the machine is infected with the virus then the data can be harvested by the hackers. The information contains a full set of data that verifies the owner’s full name, date of birth, address, gender, height, as well as their hair and eye color. In many cases the driver’s license code is scanned in retail shops, pharmacies and casinos where identity verification is required. Once the data is acquired by the harvested module it is issued to the scraper which then transfers the information to the attackers.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

How The RawPOS Malware Works

The virus is made up of several components (modules) that have evolved over time as the hackers behind it update the code. The specialists believe that the malware follows the traditional 3-module system as used by other similar threats:

  1. Persistence Module – This is used to maintain access on the hacked system by installing the virus engine as a service. It automatically launches the memory dumper and data scraper upon infection and launch to gather any available information. Depending on the version of the RawPOS malware a backdoor part can be added as well which allows remote control and surveillance.

  2. Memory Dumper – This component allows the virus to dump the memory of a process. One of the captured versions of the RawPOS malware use two dumpers – a generic one and another which is specifically made for extracting data from PoS applications. The generic dumper can be configured to either dump the memory of a specific process or monitor it for changes.

  3. File Data Scraper – This part of the virus parses the extracted files from the memory and scrapes the payment card data. It is also in charge of encoding the files to a predefined form.

The virus uses a multi-stage deployment mechanism which ensures a high infection rate. The evolved variants also may feature stealth protection features which can prevent detection from anti-virus products. In addition it appears that the programmers are familiar with how the enterprise networks are laid in both big businesses and small and medium organizations. According to the researchers the RawPOS malware is also fault-tolerant and persistent in its rate of infection. Since its inception it has continuously been used to generate income for its operators.

Consequences Of A RawPOS Malware Infection

The newest version of the RawPOS malware is able to gather a large variety of information belonging to both ID and payment cards. Identity theft is one of the most serious crimes and through the use of viruses such as this are a primary source of information. It is very likely that the programmers behind it are going to update the code further.

As always we highly recommend that all users use a quality anti-malware solution to protect themselves from possible intrusion attempts, as well as to remove active infections with a few mouse clicks.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts