In the past there have been a mix of "off-the-shelf" memory scrapers as well as custom written targeted malware. Generally they'll get inside the network and push out an exe/dll to all of the POS machines from some compromised machine. Depending on how locked down the POS machines are, there are various methods for either getting read access to the POS application process memory or having the dll injected into its memory. From there they find a way to extricate the data, either manually or automatic, depending on how locked down the network is. Application whitelisting solutions can really help block this kind of attack, but they're not perfect either. If an attacker can figure out how to get root on the machines, game over. This is why stand alone point-to-point encrypted EMV card readers are the way to go. You can't scrape the process memory for data it doesn't have, and the card readers themselves are pretty tamper resistant (if you don't count external skimmers)
In the industry I am in (mostly grocery, convenience, some specialty retail), most have moved to at least POSReady 7, and some are looking at Windows 10, though there are other concerns with PCI compliance there. Most of the large retailers are pretty good about keeping these things away from the general Internet, but once an attacker is in your network, most bets are off. The most important thing to do is to look for retailers who are using the standalone pinpad devices (i.e., they don't take your card and swipe it in the keyboard or on the display). These standalone devices encrypt card data before that Windows-based point-of-sale ever sees it. You can't steal card data from a POS which never sees card data.
Domain credentials, an understanding of the IP or hostname scheme and a simple batch file could distribute something like this pretty easily, provided the proper controls aren't in place.
I checked my home and all of the places where I know Chipotle is at in 4 different states. Every single one was on there. Would be nice if they said what percentage of stores were hit. The language implies a minority, but this looks like it could be most of them.
