A point-of-sale malware that steals payment card data has resurfaced after a few years with a diabolical twist — it cleans up its crime scene, making it difficult for businesses to realize their networks are infected.
Calling the point of sale malware "Cherry Picker," security vendor and forensics investigator Trustwave is alerting merchants and business owners who accept credit card payments through Windows-based systems to be aware of the fraudsters' latest ploys.
Researchers at Chicago-based Trustwave first discovered the malware in 2011, but it was not particularly complicated and security organizations were not making attack vectors public as often as they do today.
"We recently ran across it again, it had become much more complicated with added parts, like encryption to make it hard to know what card data they stole," said Eric Merritt, security researcher at Trustwave and who is combating Cherry Picker attacks at a client business.
"The ability to clean itself up and cover its tracks is not something you see in the POS world," Merritt said. "Typically, once the hackers are done, they jet out of there with their credit cards."
Instead, Cherry Picker goes back through its process to erase its steps. "They are interested in not getting caught and staying in the system," Merritt added. "Generally, many of them don't care about that."
The malware gets its name from the basketball term of a "Cherry Picker," or the player who doesn't play defense and stays on the other end of the floor to just score an easy basket. In this case, the malware is doing the same thing, Merritt said, because it has one specific goal in mind — to steal card data.
"This malware didn't bother with anything else in the system," he added. "It wasn't trying to hide and it was just interested in the process of stealing cards."
Cherry Picker doesn't enter into a network in any specific manner, Merritt said.
Like any malware, it finds a path of least resistance if passwords are not strong, employees are clicking on unfamiliar Web sites, if anti-virus software is not operating, or employees use the same passwords across multiple networks.
Even though Cherry Picker is more difficult than most malware to detect, Merritt said, "There is always some way to find out if they [fraudsters] were there in the POS."