Security Researchers Warn of New, Stealthy Malware to Steal Card Data

Advertisement
By Andrea Peterson, The Washington Post | Updated: 25 November 2015 10:04 IST
Just as millions of Americans are steeling themselves for the holiday shopping season, cyber-security researchers are warning about a stealthy malware aimed at stealing credit card and debit card numbers from retailers.

Cybersecurity firm iSight Partners on Tuesday revealed research about the malware, dubbed ModPOS, which the company says is largely undetectable by current antivirus scans. The firm declined to name specific victims of the threat, but it said its investigation uncovered infections at "national retailers."

The revelation comes as the retail industry is reeling from a wave of breaches uncovered since Target was hit during the 2013 holiday season.

Advertisement

"It's the most sophisticated point-of-sale malware we've seen to date," said Maria Noboa, an iSight senior threat analyst. Instead of being just one piece of software, it's a complex framework of multiple modules and plug-ins. Those parts combine to collect a lot of detailed information about a company, including payment information and personal log-in credentials of executives, she said.

The company has been tracking the malware for two years, Noboa said. But the process has been difficult because it goes to great lengths to hide itself, relying on techniques such as encryption - a common digital security tool that scrambles data - to slip past investigators, she said.

"We didn't really even know what we were looking at initially because it's so complex," she said.

In recent months, the company coordinated with the Retail Cyber Intelligence Sharing Center (R-CISC) to warn the industry about the threats.

Advertisement

Information sharing has been significant for retailers fending off cyberthreats, said Tom Litchford, vice president of retail technology for the National Retail Federation - but so have efforts to limit the amount of consumer information that retailers' systems can see.

"We have pretty sophisticated criminals out there - and as long as we have data they can monetize, they're going to try to go after it," he said.

Advertisement

One way the companies try to limit their exposure is using more advanced forms of encryption to protect consumer data. With one method, known as point-to-point encryption, a consumer's payment card data is unlocked only after it reaches the payment processor, he said.

A survey of NRF's members found that 41 percent had such a system in place by the end of September, he said, and the group expects that figure to rise to 85 percent by the end of the year.

Advertisement

Security experts warn that without such protections, even new credit cards with a chip technology known as EMV could still be compromised by infected point-of-sale systems. That's because even with the new technology - which was rolled out to improve security - stolen card data could still be used for fraud in situations where a card is not physically present, such as online purchases.

Noboa considers fully encrypted transactions an important part of fully protecting EMV payment systems, but she warned that consumers have no way to know whether a company is using the technology. The spying powers of ModPOS mean that customers may still be at risk if their data is handled by a business infected with the malware, because it is "able to do so many things," she said.

Noboa said the company is going public about the malware to warn shoppers before the holiday season is in full force.

Target spokeswoman Molly Snyder said the company doesn't typically discuss reports on specific malware types. But, she said, the company recognizes "that cyberthreats are continually evolving" and has "teams of experts that work around the clock to continually help protect the company and our guests."

That's a sentiment echoed by many within the industry.

"We're in a heightened state of awareness," said R-CISC executive director Brian Engle. "The holiday season is key for retailers."

© 2015 The Washington Post

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. Amazon Prime Day 2026 Sale Is Live: Best Tech Deals
  2. Best Mobiles Under Rs. 30,000 in India
  3. Best 5G Phones Under Rs. 15,000 With Long Battery Life in India
  1. Boat Stone 900 Launched in India With Up to 80W Sound Output, Up to 15 Hours Audio Playback: Price, Features
  2. Cyberpunk 2077 Has Sold 40 Million Copies, CD Projekt Red Confirms
  3. Nothing Phone 1 Receives Final Software Update With Latest Security Patches, Bug Fixes and Improvements
  4. Nokia 235 4G (2026), 215 4G (2026) Launched Alongside Nokia 210 4G, and 200 4G With AI Assistant Button
  5. Samsung Galaxy S27 Ultra Battery Details Leaked; Could Top iPhone 18 Pro Max's Battery Capacity
  6. OnePlus Ace 7 Series Tipped to Feature 185Hz Display, 9,000mAh Battery
  7. WhatsApp Rolls Out Primary Device Support on iPad, Tests New Setup Screen for Android Tablets: Report
  8. Government Directs App Stores to Remove Malicious Apps Used to Disrupt E-Rickshaw Operations: Report
  9. Sony Reportedly Restructures Disc Factory After Announcing End of Physical Game Discs on PlayStation
  10. Maharashtra Legislature Passes Amendment to Bring Virtual Digital Assets Under Depositor Protection Law
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.