Researchers at IntelCrawler have pulled the covers away from a cybercrime operation that has compromised nearly 1,500 point-of-sale (PoS) terminals and other systems around the world.
The firm calls the botnet ‘Nemanja’. Composed of PoS terminals, accounting systems and grocery management platforms, the researchers said they discovered it earlier this year.
“The assigned name is related to potential roots of bad actors with similar nicknames from Serbia,” according to a blog post by the firm. “It included more than 1478 infected hosts from Argentina, Australia, Austria, Bangladesh, Belgium, Brazil, Canada, Chile, China, Czech Republic, Denmark, Estonia, France, Germany, Hong Kong, India, Indonesia, Israel, Italy, Japan, Mexico, Netherlands, New Zealand, Poland, Portugal, Russian Federation, South Africa, Spain, Switzerland, Taiwan, Turkey, UK, USA, Uruguay, Venezuela and Zambia.”
The compromised systems belong to small businesses and grocery stores, the firm explained.
“Past incidents showed high attention from modern cybercriminality to retailers and small business segments having Point-of-Sale terminals,” according to the company. “We predict an increasing number of new data breaches in both sectors in the next few years, as well as the appearance of new types of specific malicious code targeted at retailers’ backoffice systems and cash registers. The nature of POS-related crimes can be different from country to country, but it shows the insecurity of modern payment environments. The bad actors combine several attack vectors in order to infect operators’ stations – “drive-by-download” and remote administration channels hacking.”
PoS attacks have grown in prevalence during the past few years. The biggest example of this would of course be the recent breach at Target, which company officials traced to an attack on PoS systems that lead to a breach that exposed information belonging to millions of customers. Earlier this month, a California man pleaded guilty to federal charges related to hacking point-of-sale systems in Subway restaurants. In a recent report, security firm Trustwave said they accounted for 33 percent of its breach investigations in 2013.
“The 33 percent of breaches beingPoSis a percentage decrease over 2012, however we saw just as many actual cases ofPoSbreaches as we have in the past,” said Karl Sigler, threat intelligence manager at Trustwave. “This shows that whilePoSbreaches still trended upwards in 2013, attackers are diversifying and attacking more targets.”
“The ‘Nemanja’ case has shown that cybercriminals started to join PoS malware with keyloggers in order to intercept credentials of various backoffice systems and databases in order to gain an access to payment or personal identifiable data,” according to IntelCrawler. “During the investigation on the ‘Nemanja’ botnet, over a thousand infected compromised PoS terminals, accounting systems, and grocery management systems were identified, which helped in collecting various fingerprints characterizing the victims.”
Foreseeing a future where PoS malware becomes a module of remote access Trojans and other malware, IntelCrawler believes card associations should expect a rise in PoS infections in developing countries in the near future due to poor security practices of many retailers in those regions.
Brian Prince is a Contributing Writer for SecurityWeek.Previous Columns by Brian Prince:Botnet of PoS Systems Uncovered: IntelCrawlerF5 Networks Acquires DDoS Protection Provider Defense.NetResearchers Note Jump in SNMP Reflection DDoS AttacksCisco to Acquire ThreatGRID to Bolster Malware Analysis and Detection CapabilitiesInternet Explorer 8 Security Vulnerability Disclosed
Tags: NEWS INDUSTRY