Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Q&A: A New Point-of-Sale Malware Family Named Punkey

In conjunction with a U.S. Secret Service investigation, Trustwave SpiderLabs researchers have unearthed a new family of point-of-sale (POS) malware.

POS malware is a sinister and often difficult-to-detect threat that preys on retailers running Windows-based payment terminals. This menace has been around for many years, but has now become the preferred fraud method by which cybercriminals fleece retailers of huge amounts of payment card data. The newly discovered POS malware family is called Punkey - a name inspired by a combination of the code's functionality and the 1980s sitcom "Punky Brewster".

We asked Trustwave Threat Intelligence Manager Karl Sigler to help us better understand the malware's capabilities and steps organizations can take to detect and prevent it and similar threats.


Q:  What is Punkey and how does it make it onto POS systems in the first place?

A: Punkey is a family of POS malware that infects point-of-sale systems to steal payment card information. Typically Punkey would be installed by exploiting easy-to-crack passwords used for remote access software on the POS systems or through cashiers using the POS system to browse malicious websites or open phishing emails.


Q: Once the malware has infected a POS system, like a credit card reader or cash register, what does it do? How does it steal card numbers?

A: Once installed, Punkey hides itself as a part of Explorer, one of Windows primary processes. Like a lot of POS malware, Punkey uses memory scraping to grab credit card data and keylogging to capture anything typed into the infected system. The stolen data is then sent back to a command-and-control (C&C) server to be collected by the criminals.


Q: How difficult is it to detect/remove Punkey?

A: Punkey is not hard to remove once you know what to look for. Now that we've been able to analyze the malware and make our findings public, organizations should be able to use standard anti-malware solutions to detect and remove Punkey. Our research team has also published specific indicators, such as the files used by the malware as well as network traffic samples that security teams can use to discover and eradicate Punkey from their systems.


Q: How widespread is Punkey?

Not horribly widespread yet. It's pretty targeted. The C&C instance we investigated had 75 instances of Punkey reporting to it, so that means around 75 infected POS systems most likely. 


Q: In terms of its functionality, how does it compare to previously discovered POS malware?

A: Punkey is a bit more advanced than most of your typical POS malware. Most POS malware doesn't bother to hide itself using similar injection and encryption techniques. Punkey also maintains regular communication with a C&C server, not just to upload stolen payment card data, but also to download updated versions of itself and any additional malware the criminals behind it may decide to use.


Q: Why has POS malware seemingly become such a big threat over the past 12 to 18 months, and is there any slowing it down?

A: Criminals follow the money, and infecting a POS terminal that might swipe thousands of payment cards is a very lucrative avenue for them. Hopefully protections being put in place like chip-and-PIN- based cards and point-to-point encryption will force criminals to look elsewhere.


Q: What can organizations, like retailers, do to protect themselves from this threat and others like it?

A: Organizations - or their security partner, such as a managed security services provider - should run updated anti-virus and intrusion detection system solutions, as well as monitor their networks for anomalous traffic. Organizations should also educate their employees to follow best security practices, such as only using POS systems for what they are intended for and not to browse the web, check email, play video games, etc. For POS systems that use remote access control technology, organizations should ensure that the software is kept up to date and can be accessed only by strong passwords or two-factor authentication.


Q: And finally, why is it called "Punkey"?

A: The malware uses a variable called 'unkey' to send the data to the C&C server, and the data is sent using an 'HTTP POST' command. So Punkey is a portmanteau of 'POST' and 'UNKEY': P(ost)unkey, or Punkey. And that's a name that might ring a bell.

For more information about combating point-of-sale attacks, check out this blog or download this white paper from SpiderLabs. In addition, if you'll be at the RSA Conference 2015 in San Francisco, Trustwave Vice President of Managed Security Testing Charles Henderson is scheduled to present on the topic of POS malware.

Latest Trustwave Blogs

Unlock the Power of Your SIEM with Co-Managed SOC

Security information and event management (SIEM) systems play a pivotal role in cybersecurity: they offer a unified solution for gathering and assessing alerts from a plethora of security tools,...

Read More

Trustwave SpiderLabs: LockBit 3.0 Ransomware Most Common Malware Used to Attack the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Trustwave’s Observations on the Recent Cyberattack on Aliquippa Water Treatment Plant

The attack last week on the Municipal Water Authority in Aliquippa, Penn., that gave threat actors access to a portion of the facility’s pumping equipment has spurred the Cybersecurity &...

Read More