Security experts at Trend Micro have spotted a new variant of the RawPOS PoS malware stealing driver’s license information from victims.
The RawPOS PoS malware is an old threat that has been active since 2008. RAWPOS is a memory scraper that has infected lodging merchants since 2008 by targeting the memory dump where payment information may be temporarily stored, and that data are staged on a network and removed later by a separate process.
The malicious code was mainly used against targets in the hospitality industry, aver the time crooks used it to steal also additional information from victims.
Back to the present, crooks steal driver’s license information for several fraudulent activities. According to Trend Micro, the version of the RawPOS PoS malware recently spotted attempts to gather both credit card mag stripe data and other valuable information in a single sweep.
“Traditionally, PoS threats look for credit card mag stripe data and use other components such as keyloggers and backdoors to get other valuable information. RawPOS attempts to gather both in one go, cleverly modifying the regex string to capture the needed data.” reads the analysis published by TrendMicro.
The RawPOS PoS malware uses regular expressions to scan processes for strings that look like data stored in the magnetic stripe in order to find “track data”-like strings in memory.
The analysis of the regular expressions used by the threat demonstrates that starting from 2016 the malware scans memory for “drivers” and “license” strings, as well as for an “ANSI 636” string (“636” are the initial digits of the Issuer Identification Number (IIN) for most US states).
Crooks behind the last variant of the PoS malware were interested in driver’s license information belonging to US citizens.
“The Information stored in each license varies per state, but the bar code mostly contains the same information present in each individual driver’s license or state ID – specifically: full name, date of birth, full address, gender, height, even hair and eye color,” continues Trend Micro.
Researchers explained that driver’s license barcode could get scanned in many commercial activities, including pharmacies, retail shops, bars, and casinos.
The availability of personal information along with credit card data provides threat actors with a more “authentic” identity.
“Combining personal information combined with credit card information gives threat actors a more “authentic” identity, and also provides all the information necessary to complete a transaction despite the lack of a physical card. “concluded Trend Micro.” Aside from this, the driver’s license bar code swipe of the victims can also be used for other kinds of misrepresentation, such as identity theft. ”
(Security Affairs – RawPOS PoS Malware, malware)