[tkmcc]

That's exactly what they do. They'll call ReadProcessMemory() on every process and then use a regex + Luhn algorithm to check for credit card data. I'm sure some of the more advanced and targeted ones do use hooking, and some filter the processes to scrape by name, but a lot of malware authors are surprisingly amateur.

further reading: http://www.trendmicro.com/cloud-content/us/pdfs/security-int...

[ultramancool]

Wow, that's sort of surprising to me. Perhaps just due to having some RE background, though maybe it's not stupid or amateur. It may actually be a better strategy if you want to minimize time in the store (no separate trip to steal the POS software first) and effort (no reverse engineering necessary).