Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Botnet of PoS Systems Uncovered: IntelCrawler

Researchers at IntelCrawler have pulled the covers away from a cybercrime operation that has compromised nearly 1,500 point-of-sale (PoS) terminals and other systems around the world.

The firm calls the botnet ‘Nemanja’. Composed of PoS terminals, accounting systems and grocery management platforms, the researchers said they discovered it earlier this year.

Researchers at IntelCrawler have pulled the covers away from a cybercrime operation that has compromised nearly 1,500 point-of-sale (PoS) terminals and other systems around the world.

The firm calls the botnet ‘Nemanja’. Composed of PoS terminals, accounting systems and grocery management platforms, the researchers said they discovered it earlier this year.

“The assigned name is related to potential roots of bad actors with similar nicknames from Serbia,” according to a blog post by the firm. “It included more than 1478 infected hosts from Argentina, Australia, Austria, Bangladesh, Belgium, Brazil, Canada, Chile, China, Czech Republic, Denmark, Estonia, France, Germany, Hong Kong, India, Indonesia, Israel, Italy, Japan, Mexico, Netherlands, New Zealand, Poland, Portugal, Russian Federation, South Africa, Spain, Switzerland, Taiwan, Turkey, UK, USA, Uruguay, Venezuela and Zambia.”

The compromised systems belong to small businesses and grocery stores, the firm explained. 

“Past incidents showed high attention from modern cybercriminality to retailers and small business segments having Point-of-Sale terminals,” according to the company. “We predict an increasing number of new data breaches in both sectors in the next few years, as well as the appearance of new types of specific malicious code targeted at retailers’ backoffice systems and cash registers. The nature of POS-related crimes can be different from country to country, but it shows the insecurity of modern payment environments. The bad actors combine several attack vectors in order to infect operators’ stations – “drive-by-download” and remote administration channels hacking.”

PoS attacks have grown in prevalence during the past few years. The biggest example of this would of course be the recent breach at Target, which company officials traced to an attack on PoS systems that lead to a breach that exposed information belonging to millions of customers. Earlier this month, a California man pleaded guilty to federal charges related to hacking point-of-sale systems in Subway restaurants. In a recent report, security firm Trustwave said they accounted for 33 percent of its breach investigations in 2013.

“The 33 percent of breaches being PoS is a percentage decrease over 2012, however we saw just as many actual cases of PoS breaches as we have in the past,” said Karl Sigler, threat intelligence manager at Trustwave. “This shows that while PoS breaches still trended upwards in 2013, attackers are diversifying and attacking more targets.”

“The ‘Nemanja’ case has shown that cybercriminals started to join PoS malware with keyloggers in order to intercept credentials of various backoffice systems and databases in order to gain an access to payment or personal identifiable data,” according to IntelCrawler. “During the investigation on the ‘Nemanja’ botnet, over a thousand infected compromised PoS terminals, accounting systems, and grocery management systems were identified, which helped in collecting various fingerprints characterizing the victims.”

Advertisement. Scroll to continue reading.

Foreseeing a future where PoS malware becomes a module of remote access Trojans and other malware, IntelCrawler believes card associations should expect a rise in PoS infections in developing countries in the near future due to poor security practices of many retailers in those regions. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.