Point-of-sale malware infections on the rise, researchers warn

  • 5 December 2013
  • 2 replies
  • 27 views

Userlevel 7
Badge +54
Watch your credit or debit card carefully this holiday season.

New attack campaigns have infected point-of-sale (PoS) systems around the world with sophisticated malware designed to steal payment card and transaction data.

Researchers from security firm Arbor Networks found two servers that were used to collect data stolen from PoS systems by variants of the Dexter malware and a similar threat called Project Hook.

Dexter and Project Hook are designed to steal Track 1 and Track 2 information written on the magnetic stripes of payment cards when transactions are processed on the infected PoS terminals. Attackers can use this information to clone the cards.

The servers found by Arbor Networks were active at the beginning of November and the data found on them suggests that the Dexter campaign mainly infected systems in Eastern Hemisphere countries. The Project Hook malware infected PoS systems mostly in the U.S. and Europe.

The Arbor Networks researchers identified three separate versions of the Dexter malware, dubbed Stardust, Millenium, and Revelation. The first version of Dexter was found in November 2012 by researchers from Israeli security firm Seculert.

The source code for Dexter version 1.0 was leaked, which resulted in increased interest from cybercriminals in PoS malware, according to researchers from IntelCrawler, a Los Angeles-based security intelligence startup firm.

IntelCrawler recently identified a botnet of 31 PoS terminals from restaurants and well-known stores in seven major U.S. cities that were infected with a StarDust variant, said Andrey Komarov, IntelCrawler’s CEO, via email.
 
Full Topic

2 replies

Userlevel 7
The following article is a utpdate on point of sale terminals
 
(ATTACK of the Windows ZOMBIES on point-of-sale terminals)
 
By: By John Leyden, 9 Jul 2014
 
Security watchers have spotted a fresh Windows-based botnet that attempts to hack into point-of-sale systems.
Cyber threat intelligence firm IntelCrawler reports that the “@-Brt” project surfaced in May through underground cybercrime forums. The malware can be used to brute-force point-of-sale systems and associated networks, using data such as "subnet IP ranges and commonly used operators, supervisor, and back office administrator logins, some of which are default manufacturers' passwords".
http://pubads.g.doubleclick.net/gampad/ad?iu=/6978/reg_security/front&sz=300x250%7C300x600&tile=3&c=33U71SJqwQrMsAACvvO9sAAAOX&t=ct%3Dns%26unitnum%3D3%26unitname%3Dwww_top_mpu%26pos%3Dtop%26test%3D0The main tactic appears to be using botnets to scour the net for Remote Desktop Protocol (RDP) servers that have weak or default passwords before mapping and subsequently hacking vulnerable point of sale systems (POS). Compromised POS systems might then be loaded up with malware capable of scraping card details processed through affected terminal.
 
The Register/ Full Read Here/ http://www.theregister.co.uk/2014/07/09/botnet_brute_forces_pos/
Userlevel 7
The following article is a update on point of sale malware
 
(Hackers Turn Remote Desktop Tools Into Gateways for Point-of-Sale Malware Attacks)
 
By Brian Prince on July 31, 2014
 
Just as autoimmune diseases turn cells against the body, hackers are turning legitimate remote administration tools into weapons for breaching networks.
In a new report released today by the U.S. Department of Homeland Security, security experts laid out how cybercriminals are using legitimate programs as the first step to break into corporate networks and compromise point-of-sale systems with malware.
"Remote desktop solutions like Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway, and LogMEIn Join.Me offer the convenience and efficiency of connecting to a computer from a remote location," the report notes. "Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request."
The malware family being used in the attacks is known as 'Backoff', and has been spotted in at least three separate breach investigations, according to the report. However, researchers at security firm Trustwave say they can connect the malware to nearly 600 infections of businesses.
 
SecurityWeek/ Full article here/ http://www.securityweek.com/hackers-turn-remote-desktop-tools-gateways-point-sale-malware-attacks

Reply