Skip to main content

New Card-Stealing Malware Threatens Holiday Shopping

Credit: keren-seg/Shutterstock

(Image credit: keren-seg/Shutterstock)

Just in time for the holiday shopping craze, security experts have identified a new strain of point-of-sale malware. Called Getmypass, the malicious software steals credit- and debit-card information at physical retail locations. It was unknown to 55 top antivirus programs the day before Thanksgiving (Nov. 26); more than 20 recognize it as of today (Dec. 1), but that's cold comfort to anyone whose card may have been stolen on Black Friday.

Getmypass seems to be still in development, so it may not have been able to fully capitalize on that head start. Still, shoppers should be cautious, especially as Getmypass is similar to BlackPOS, the malware used in the massive Target data breach that began on Black Friday a year ago.

MORE: How to Survive a Data Breach

Getmypass is a RAM scraper designed to infect point-of-sale devices such as payment-card readers. It "scrapes" the card reader's running memory, or RAM, for card data immediately after the customer card swipe. (The data is almost immediately encrypted, but that split second is all the RAM scraper needs.) The pieces of malware used in the Target and Home Depot data breaches were also RAM scrapers.

Nick Hoffman of the blog Security Kitten discovered and named Getmypass (after a password buried in the code) last Wednesday, and researchers at security software company Trend Micro followed with their own analysis on Thanksgiving. Hoffman ran the malware's hash, or digital fingerprint, through the 55 antivirus screeners on free malware-analysis website VirusTotal and got no results -- none recognized the malware.

In real-life scenarios, many antivirus programs would have discovered Getmypass through behavioral analysis, although the malware has a trick  up its sleeve to fool at least some of them: a valid-seeming digital certificate of authenticity from a publisher named "Bargaining Active."

Right now, 21 of 56 antivirus screeners recognize Getmypass, and that number will only increase. The fact that it initially went undetected may be cause for concern, but while the malware can steal card data, Hoffman and Trend Micro found that it is missing the abilities to log keystrokes, collect login credentials or even move card data to a remote server.

"This malware seems to be in its infancy," wrote Hoffman. "There are debug strings still existent in the malware [that indicates] to me that the author is still testing the tool or is still actively developing it."

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+Follow us @tomsguide, on Facebook and on Google+.