Definition

Kaptoxa

Kaptoxa (pronounced kar-toe-sha) is a type of point-of-sale (POS) malware designed to compromise payment information systems. 

This malware, a type of memory-scraping malware, is believed to have been used in several retail data security breaches in 2013, including the attack that compromised the payment data of as many as 70 million customers who shopped at Target, the second-largest discount retailer in the United States. Kaptoxa, which is Russian slang for "potato," has also been nicknamed the "potato malware."

Kaptoxa was designed to reside in POS terminals and monitor the information being processed by payment application programs. Though payment card security best practices require that merchants encrypt credit card data at the point of sale, in most cases there is a brief period during the payment authorization process when payment card data is stored unencrypted in RAM. This is the point at which Kaptoxa is able to access and copy payment card data, including credit and debit card numbers, personal identification numbers (PINs), expiration dates, email addresses, consumer addresses and telephone numbers.

Once copied, the data resides on affected POS terminals for a period of time until it is aggregated to a central location. In the Target breach, the malware checked the local time every seven hours, and if it was between 10:00 a.m. and 5:00 p.m., it would send the information over a temporary NetBIOS share to an internal host inside the compromised network over TCP port 139, 443 or 80. From this host, the attacker used a series of remote FTP transfers to retrieve the stolen data.

A report issued by computer research firm iSIGHT Partners in conjunction with the U.S. Secret Service, Department of Homeland Security and Financial Service Information Sharing and Analysis Center confirmed that Kaptoxa – also known by its file name, "Trojan.POSRAM" – was derived from the BlackPOS malware and was written partially in Russian.

According to a January 2014 iSIGHT analysis, Kaptoxa had a 0% detection rate among the major commercial antimalware products. Target says that none of its 40 commercial antimalware tools flagged Kaptoxa as malicious. It also bypassed more than two dozen antimalware tools employed by federal investigators in their December 2013 analysis, causing them to call Kaptoxa one of the most scalable and sophisticated malware instances in history.

 

Contributor(s): Sharon Shea
This was last updated in February 2014
Posted by: Margaret Rouse

Email Alerts

Register now to receive SearchSecurity.com-related news, tips and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

More News and Tutorials

Do you have something to add to this definition? Let us know.

Send your comments to techterms@whatis.com

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: