Retailers searching for near-undetectable malware

Retailers are scanning checkout systems for what one security firm is calling the “most sophisticated” point-of-sale malware it has ever seen.

ISight Partners on Tuesday released a report detailing a bug that buries itself deep within the a payment-card reader, making it undetectable to most antivirus software.

{mosads}The nefarious tool — known as “modular point-of-sale,” or ModPOS — is even encrypted, meaning that if it is uncovered, it’s hard for companies to tell if it is malicious.

ModPOS is “complex” and “highly functional,” said iSight Senior Director Stephen Ward in a blog post, adding that it “places a very heavy emphasis on obfuscation and persistence.”

Researchers said the cyber criminals had been using this malware to target retailers since at least 2013.

But retailers, credit card companies and payment processors are under a major time crunch to suss out ModPOS ahead of Black Friday, the day after Thanksgiving that unofficially marks the beginning of the holiday shopping season.

During the 2013 holiday shopping season, Target was felled by a major data breach from which the company is still recovering. Home Depot was later hit by an even bigger breach. Both incidents compromised tens of millions of payment card numbers.

The Retail Cyber Intelligence Sharing Center (R-CISC), an industry group established this year to combat cyber threats, told Reuters that companies have seen evidence of ModPOS.

The R-CISC is comprised of several-dozen members, including Gap, Lowe’s and Walgreens.

“I couldn’t tell you who is most likely to be compromised by this,” Wendy Nather, R-CISC director of research, told Reuters. “But if it were harmless, we wouldn’t even be talking about it.”

Indeed, iSight researchers said ModPOS is capable of hundreds of nefarious actions, vastly superior to most types of point-of-sale malware, which historically are designed to scrape payment card data off of a cash register. In addition to that function, ModPOS can further infiltrate a company’s network and target other types of valuable data.

“In a nutshell, this is not your daddy’s run-of-the-mill cyber crime malware,” Ward said.