Wednesday 24 September 16:30 - 17:00, Green room.Hong Kei Chan FortinetLiang Huang Fortinet This paper is available online (HTML, PDF). download slides (PDF) Point-of-sale (POS) malware has been hitting the headlines recently. In December 2013, Target confirmed a POS data breach, reporting the compromise of an estimated 40 million credit card and debit card accounts. Recently, a new strain of POS malware, named JackPOS, has reportedly compromised over 4,500 credit cards in the United States and Canada. POS memory parsing malware is not new technology; AV vendors have been detecting such malware since 2008-2009 under the family name Trackr or Alina. The earlier variants only had basic functionality, but over the years they have evolved to include additional features such as bot and network functionality, keyloggers and screen captures. Today, there are a number of POS malware families and variants: Dexter, BlackPOS, JackPOS, Chewbacca, Citadel and Decebal to name just a few. Each POS malware family has its own unique capabilities, but as memory parsing malware they all perform three main functions: In this presentation, we will compare a few POS malware families: Dexter, BlackPOS and Chewbacca, in terms of how they scan and extract credit card information, and the method in which the stolen information is sent to the C&C server. By highlighting the similarities and differences between these families, we hope to provide an accurate timeline of POS malware evolution.