IT World Canada

RawPOS malware checking in at a hotel near you

Image from

As the convention season hits its stride and tens of thousands of technology and business professionals are poised to fly into cities like Las Vegas, Orlando, New York and Toronto, it might be useful to known that a new version of a malware that targets point of sales (POS) systems has likely checked-in at your hotel as well.

The software company Trend Micro is warning that RawPOS, a variant of a memory scraper POS malware that dates back to 2008, has been victimizing guests in casinos, resorts and hotels in the last few weeks in Canada, United States, Europe, the Middle East and Latin America.

An earlier security alert from credit card company Visa, said that the master is “typically clustered in three files” and that there is not standard infection method for the malware.

“Once a vulnerable POS system is identified, various components of the malware are used to discover track data by only targeting the “memdump” portion of a Windows system,” the alert said. “A memory dump can be the contents of memory on a system and where cardholder data temporarily resides during a payment transaction.”

There is also no common method of exfiltration associated with the malware. However, Visa said, “infected merchants observed payment card data sitting on non-POS systems, suggesting attackers stage the stolen data elsewhere on the network prior to exfiltration.”

Trend Micro said RawPOS has a modular design and that it is highly configurable and has always been a multi-stage scraper Here are several key characteristics of its design:

Visa recommends the following steps to mitigate risks:

RawPOS is notable for its support for multiple PoS software, according to Trend Micro. Since business establishments would have a different PoS software, attackers have modified RawPOS’ code to support multiple PoS software over time.

Below is a table showing the different PoS software that is supported by RawPOS: