In a big environment or in a mature environment, there have been repeated and known attacks against the point of sales system and are believed to be multi-staged. It is multi-staged in the sense that on the first part the attacker needs to gain access to the victim’s network. This usually happens when they access an associated network and not direct. Then they traverse the network, which ultimately leads to accessing the POS systems.

Once they gained access to the POS systems, they install a malware in order to steal the data. A POS system is highly unlikely to have an external network access, the stolen data that was accessed will then be sent to an internal staging server as they call it, which ultimately leads to the exfiltration of the data from the victim’s network and towards the attacker’s.

Infiltrating the System

Unfortunately, there are various ways for the thief to use in order to access the corporate network. They always scan for weaknesses in their external-facing systems like using SQL injections on a web server or finding a periphery device that still uses the default password that came from the manufacturer. However, they can still attack from within your network. How? Well, they use a phishing email to a staff in the organization and this phishing email can contain malicious attachments or even lead you to a link of a website which is called a backdoor program that latches onto the victim’s computer.

Network Traversal

As soon as the malicious program has already infiltrated the system, the hackers then concentrate in gaining access to their main target, which are the Point of Sales systems. How they attack varies as they use tools to help them map out the network to be able to locate the systems within the central database. The basic and simplest method to access is by taking the login credentials of the user, but if not, they will look for ways to hack into the system vulnerabilities.

So how do the passwords get hacked into these systems? They usually use keylogging Trojans, cracks, resending login sequences or a password-hash extraction. Some attackers would gain access to the domain controller of the POS system, which can give them the rights to connect to all the computers in the network. As soon as they get in control, they will gain access to the central database system and the rest is history.

The Use of Data Stealing Tools

The malwares’ purpose is to steal data from the POS systems and you can get these malwares in the black market. When a credit card data is stolen, hackers use these network-sniffing tools as they traverse the internal unencrypted networks. Others uses a RAM-scraping malware to collect these credit card numbers as they go inside the computer memory. As soon as it finished gathering the data, it then stores locally in the form of a file until exfiltration is performed.

Persistence and Stealth

Because these hackers are targeting the POS systems, it takes time to gather these data and that their code needs to remain persistent on the target terminal. Malware persistence can be met with using some simple techniques to make sure that the malware always runs in the background and restarts when the terminal restarts.


At times, the attackers may or may not hijack an internal system to act as their staging server. What happens in this stage is that, they will try to identify the server that communicates regularly with the POS systems and hitches on the normal communications in order not to get detected. So any data sniffed of the RAM-scraping malware will then be directed to the staging server where all is stored and in a certain specific time, transmits to the hacker.

Pretty intricate how people go through all the lengths in hacking the POS systems because there is a gold mine of stolen credit card numbers in the black market. You are strongly advice to liaise with your point of sales provider to secure your machines and prevent any instances of getting hacked.