PoS Botnet Goes Global

Wednesday, May 28, 2014 @ 06:05 PM gHale

Point of sale (PoS) terminals appear to still be some low hanging fruit for the bad guys as a global cybercriminal operation infected almost 1,500 terminals, accounting systems and other retail back-office platforms from businesses in 36 countries, researchers said.

The infected systems joined together in a botnet researchers from cybercrime intelligence firm IntelCrawler called Nemanja. The researchers believe the attackers behind the operation might be from Serbia.

Data Breach Leader: E-commerce Sites
Malware Attack Approach: Deceptive Tactics
Top Q1 Mobile Threat Target: Android
Firms Watch Data Walk Out the Door

The size of the botnet and the worldwide distribution of infected systems brings into perspective the security problems faced by retailers from around the world, problems also highlighted by PoS breaches at several large U.S. retailers.

Past incidents suggest an increased attention from cybercriminals toward retailers and small businesses that use PoS terminals, the IntelCrawler researchers said Thursday in a blog post.

“We predict an increasing number of new data breaches in both sectors in the next few years, as well as the appearance of new types of specific malicious code targeted at retailers’ backoffice systems and cash registers,” the researchers said.

The Nemanja botnet included 1,478 infected systems in countries on most continents including the U.S., the U.K., Canada, Australia, China, Russia, Brazil and Mexico, IntelCrawler said.

An analysis of the Nemanja botnet found the compromised systems were running a wide variety of PoS, grocery store management and accounting software popular in different countries. The IntelCrawler researchers identified at least 25 different such software programs used on those systems.

This doesn’t mean the identified applications are particularly vulnerable or insecure for further use, but shows the Nemanja PoS malware is able to work with different software. Despite the ability to collect credit card data, the malware also had keylogging functionality to intercept credentials that could provide access to other systems and databases that contained payment or personally identifiable information.

IntelCrawler predicts that very soon modern PoS malware will end up incorporated as modules into malicious remote access tools (RATs) or other Trojan programs and will see use along other components, like those for keylogging or network traffic sniffing.

The other countries where the Nemanja botnet ended up detected were Argentina, Austria, Bangladesh, Belgium, Chile, Czech Republic, Denmark, Estonia, France, Germany, Hong Kong, India, Indonesia, Israel, Italy, Japan, Netherlands, New Zealand, Poland, Portugal, South Africa, Spain, Switzerland, Taiwan, Turkey, Uruguay, Venezuela and Zambia.

Leave a Reply

You must be logged in to post a comment.