'Most complex malware ever': Security experts smash system that stole cash from millions

© Issei Kato
Security experts have exposed a cash register malware of previously unseen complexity and secretiveness. It is unknown who created the virus and profited from it, but it has been stealing personal data for years, affecting millions of people.

Malware, or ‘malicious software’, is software that is used to disrupt computer systems or gather secret or sensitive information from them.  

The malware in question, dubbed ModPOS (for Modular Point Of Sale), has been exposed by security experts from cyber intel firm iSight, who say they’ve seen nothing like it in eight years of exploring malicious point-of-sale (POS) software.

It took three weeks of constant work for the researchers to perform reverse engineering of the ‘scumware’, compared to the no more than half an hour usually needed to crack most POS malware.

“This is POS malware on steroids. We have been examining POS malware…for at least the last eight years, and we have never seen this level of sophistication in terms of development… [Engineers say] it is the most sophisticated framework they have ever put their hands on,” Steve Ward from iSight told The Register.

The ModPOS malware is “wrapped” in multiple layers of encryption to obfuscate its tracks, so when the malware uploads cypher data to a remote server, it becomes next to impossible to find out exactly what data was stolen.

And it is not only the encryption that makes ModPOS so sophisticated. To fish out holders' personal data at the moment when the credentials pass through an electronic point-of-sale device, such as a cash register, the malware also uses a combination of tricks like ‘key-logging’, ‘network monitoring’ and ‘RAM scraping’, Gizmodo reports.

The report presented by iSight maintains that ModPOS has been active in the US since 2013 - enough time to steal personal data from “multiple millions” of both debit and credit card holders.

iSight has not revealed how many US companies have been affected by the malware, only saying that so far researchers have briefed some 80 American companies on the issue.

READ MORE: Compromised: Mysterious malware found in new police body cams

It is believed that transactions performed by swiping a card’s magnetic strip as well as the more secure ‘chip-and-pin system’ are equally vulnerable to the ModPOS malware.

The number of point-of-sale devices infected with the newly exposed malware also remains unknown.