BlackPOS, also known as Kaptoxa, is a point-of-sale malware program designed to be installed in a point of sale (POS) system to scrape data from debit and credit cards. BlackPOS was used in the Target Corporation data breach of 2013.[1] [2]
The BlackPOS program first surfaced in early 2013[3] and affected many Australian, American, and Canadian companies using point-of-sale systems, such as Target and Neiman Marcus. The program was originally created by 23 year-old Rinat Shabayev and later developed by 17-year-old Sergey Taraspov, better known by his online name, 'ree4'.[4] The original version of BlackPOS was sold on online black market forums by Taraspov, under the name "Dump Memory Grabber by Ree", for around $2000.[5] The name BlackPOS was found in the software's administration panel.[3]
BlackPOS infects computers running on Microsoft Windows that have credit card readers connected to them and are part of a POS system.[6] After installation, the program attaches to the pos.exe
process and scans its memory for track 1 and track 2 payment card data.[7] The data is then exfiltrated via SMB to a server within the company, where another component collects it and sends it to the attacker via FTP.[7]
BlackPOS only sends stolen information during business hours, to avoid raising suspicion by generating network traffic at unusual times.[8]
BlackPOS has been used to steal customer information from businesses worldwide. The most well-known attack was the 2013 Target security breach.
During Thanksgiving break of November 2013, Target's POS system was infected with the BlackPOS malware. It was not until mid-December that the company became aware of the breach. The hackers were able to get into Target's systems by compromising a company web server and uploading the BlackPOS software to Target's POS systems. As a result of this attack, more than 40 million customer credit and debit card information, and more than 70 million addresses, phone numbers, names, and other personal information, was stolen. About 1800 U.S. Target stores were affected by the malware attack.[9]
Neiman Marcus, another well-known retailer, was affected as well. Their POS system was said to have been infected in early July 2013 and was not fully contained until January 2014. The breach is believed to have involved 1.1 million credit and debit cards over the span of several months. Although credit and debit card information was compromised, Neiman Marcus issued a statement saying that Social Security Numbers and birthdates were not affected.[10] [11]
Other affected companies included UPS and Home Depot.[12] [13]