Swipe away, we're watching you

Wednesday 24 September 16:30 - 17:00, Green room.

Hong Kei Chan Fortinet
Liang Huang Fortinet

   This paper is available online (HTML, PDF).

  download slides (PDF)

Point-of-sale (POS) malware has been hitting the headlines recently. In December 2013, Target confirmed a POS data breach, reporting the compromise of an estimated 40 million credit card and debit card accounts. Recently, a new strain of POS malware, named JackPOS, has reportedly compromised over 4,500 credit cards in the United States and Canada.

POS memory parsing malware is not new technology; AV vendors have been detecting such malware since 2008-2009 under the family name Trackr or Alina. The earlier variants only had basic functionality, but over the years they have evolved to include additional features such as bot and network functionality, keyloggers and screen captures. Today, there are a number of POS malware families and variants: Dexter, BlackPOS, JackPOS, Chewbacca, Citadel and Decebal to name just a few.

Each POS malware family has its own unique capabilities, but as memory parsing malware they all perform three main functions:

  • Dump the memory of running processes
  • Scan and extract credit card information
  • Exfiltrate the stolen information to a C&C server.

In this presentation, we will compare a few POS malware families: Dexter, BlackPOS and Chewbacca, in terms of how they scan and extract credit card information, and the method in which the stolen information is sent to the C&C server. By highlighting the similarities and differences between these families, we hope to provide an accurate timeline of POS malware evolution.

Hong Kei Chan

Hong Kei Chan

Hong Kei Chan obtained his Bachelor's degree in electrical engineering from the University of British Columbia in 2013. He joined Fortinet Technologies soon afterwards as a junior anti-virus analyst. In the past year, he has completed an internal training program, gaining experience in reverse engineering and debugging. He is very interested in anti-virus techniques, tracking botnets and analysing exploits, and has contributed to Fortinet's security research blog. He enjoys the outdoors: dragon boating in the summer and snowboarding in the winter.

Liang Huang

Liang Huang

Liang Huang is a team lead in Fortinet Technologies' anti-virus R&D department. He has more than seven years of malware reverse-engineering experience, specializing in tracking botnets, debugging, and unpacking custom packers. He has developed the company's internal anti-virus training program, and has run it for the past 4 years.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.