Skip to main content

The JackPOS malware code has targeted point-of-sale credit card terminals around the world.ISSEI KATO/Reuters

A new strain of computer malware infecting payment card terminals in restaurant and gas station has compromised nearly 700 credit cards in Canada, a computer security firm says.

The viral code, JackPOS, infects point-of-sales terminals, a security breach similar to other highly publicized recent cases that struck victims such as the Target retailing chain or the White Lodging hotel management firm.

According to a map released Monday by the California security firm IntelCrawler LLC, JackPOS stole data from 400 cards in Vancouver and from 280 other cards at a location in Longueuil, Que., south of Montreal.

IntelCrawler said the infection appeared about three weeks ago.

In an e-mail to The Globe and Mail, IntelCrawler CEO Andrew Komarov said the point-of-sales terminals were breached through remote access, by hackers who created a large list of possible passwords (such as POS1, Administrator or 123456789) and then "brute-forced" themselves into the systems.

"It provides them good results, as the security in this sector is surprisingly really very poor," M. Komarov wrote.

Other countries affected by JackPOS include Brazil, where data for 3,000 cards in Sao Paulo were stolen; India, where 420 cards were compromised in Bangalore; and Spain, where 230 cards were pirated in Madrid.

The two outbreaks in Canada likely happened at a gas station, said Richard Henderson, a Vancouver-based security strategist for Fortinet's Threat Research Labs.

"In Canada we're lucky that the vast majority of our transactions done day-to-day are with chip-and-PIN, which are much more secure," he said, adding however that some gas stations' pumps are still relying on the old magnetic-swipe method that is more vulnerable to hacking.

JackPOS appears to be a variation of a previous malware, Alina. Both are known as RAM scrapers, which capture card data when it is transmitted from the sales terminal to a payment-processing centre.

Mr. Henderson said JackPOS's key feature is its ability to hide on a machine by pretending to be a version of Java, a programming platform used by some computer applications.

"That's a really neat obfuscation technique by the malware to make it look like it's a legitimate piece of software."

According to a global security report by the anti-cybercrime firm Trustwave, victims of point-of-sale hacking tend to be merchants or franchises who have to outsource their IT work and rely on contractors who access their systems remotely. Weak passwords and remote access make it easier for hackers to breach POS systems.

Most of the breaches can be attributed to three criminal groups, with the data being dumped in Russia, Ukraine or Romania, the Trustwave report said.

The rollout of chip-and-PIN cards in Canada and Europe have made fraud harder. However, the report said cyber-thieves still go after POS targets in hotels and premium retailers, because those businesses attract an international clientele that does not have chip-and-PIN cards.