Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Botnet of PoS Systems Uncovered: IntelCrawler

Researchers at IntelCrawler have pulled the covers away from a cybercrime operation that has compromised nearly 1,500 point-of-sale (PoS) terminals and other systems around the world.

The firm calls the botnet ‘Nemanja’. Composed of PoS terminals, accounting systems and grocery management platforms, the researchers said they discovered it earlier this year.

Researchers at IntelCrawler have pulled the covers away from a cybercrime operation that has compromised nearly 1,500 point-of-sale (PoS) terminals and other systems around the world.

The firm calls the botnet ‘Nemanja’. Composed of PoS terminals, accounting systems and grocery management platforms, the researchers said they discovered it earlier this year.

“The assigned name is related to potential roots of bad actors with similar nicknames from Serbia,” according to a blog post by the firm. “It included more than 1478 infected hosts from Argentina, Australia, Austria, Bangladesh, Belgium, Brazil, Canada, Chile, China, Czech Republic, Denmark, Estonia, France, Germany, Hong Kong, India, Indonesia, Israel, Italy, Japan, Mexico, Netherlands, New Zealand, Poland, Portugal, Russian Federation, South Africa, Spain, Switzerland, Taiwan, Turkey, UK, USA, Uruguay, Venezuela and Zambia.”

The compromised systems belong to small businesses and grocery stores, the firm explained. 

“Past incidents showed high attention from modern cybercriminality to retailers and small business segments having Point-of-Sale terminals,” according to the company. “We predict an increasing number of new data breaches in both sectors in the next few years, as well as the appearance of new types of specific malicious code targeted at retailers’ backoffice systems and cash registers. The nature of POS-related crimes can be different from country to country, but it shows the insecurity of modern payment environments. The bad actors combine several attack vectors in order to infect operators’ stations – “drive-by-download” and remote administration channels hacking.”

PoS attacks have grown in prevalence during the past few years. The biggest example of this would of course be the recent breach at Target, which company officials traced to an attack on PoS systems that lead to a breach that exposed information belonging to millions of customers. Earlier this month, a California man pleaded guilty to federal charges related to hacking point-of-sale systems in Subway restaurants. In a recent report, security firm Trustwave said they accounted for 33 percent of its breach investigations in 2013.

“The 33 percent of breaches being PoS is a percentage decrease over 2012, however we saw just as many actual cases of PoS breaches as we have in the past,” said Karl Sigler, threat intelligence manager at Trustwave. “This shows that while PoS breaches still trended upwards in 2013, attackers are diversifying and attacking more targets.”

“The ‘Nemanja’ case has shown that cybercriminals started to join PoS malware with keyloggers in order to intercept credentials of various backoffice systems and databases in order to gain an access to payment or personal identifiable data,” according to IntelCrawler. “During the investigation on the ‘Nemanja’ botnet, over a thousand infected compromised PoS terminals, accounting systems, and grocery management systems were identified, which helped in collecting various fingerprints characterizing the victims.”

Foreseeing a future where PoS malware becomes a module of remote access Trojans and other malware, IntelCrawler believes card associations should expect a rise in PoS infections in developing countries in the near future due to poor security practices of many retailers in those regions. 

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.