400% increase in POS malware variants across US Thanksgiving weekend.
400% increase in POS malware variants across US Thanksgiving weekend.

Researchers from Proofpoint have released a blog post detailing a 400 percent increase in activity from some Point-of-Sale (POS) malware variants across the Thanksgiving weekend.

The researchers wrote, “Point-of-Sale malware made headlines in 2013 with high-profile retail breaches that exposed millions of credit cards. POS malware is specifically designed to infect payment terminals at retailers, hotels, restaurants, and elsewhere. Traditionally, POS malware has scraped credit and debit card information from magnetic stripe readers or from memory on the terminals.”

The blogpost detailed a 3-4x increase in data exfiltration traffic related to ZeusPOS and NewPOSthings variants increased over the weekend, adding, “while traffic associated with Black Friday was expected, the spikes were dramatic.”

Although the spike in network activity around the Thanksgiving holiday was noteworthy, a look at overall traffic patterns since the beginning of the year tells an equally important story:

Like other forms of malware, PoS malware activity tends to be concentrated around a few dominant variants, even as minor variants continue to make the rounds and wait in the wings to become "the next big thing".

Major variants are often related by shared infrastructure or actors that move from using one variant to another, as happened with Dridex and Locky in the banking Trojan and ransomware spaces.

Establishing these relationships helps organisations better defend against PoS malware by observing similarities in C&C check-ins, infection methods, etc.

Proofpoint said: “Point-of-Sale malware continues to be distributed and operate at relatively high volumes. This isn't surprising given the potentially large payouts for threat actors if they can capture large numbers of credit cards.”

Even as the payment industry works to ensure PCI compliance, and moves toward more secure credit card transactions with chip and PIN technologies, Proofpoint said that PoS malware is evolving to work around these new barriers.

Concluding, Proofpoint said: “At the same time, threat actors are innovating to deliver their payloads more effectively, diversify their approaches, or even cash in on simple credential phishing using retail brands as the lure.”