Back in December 2013 Target, the huge US retailer, was made to admit to a security oversight that allowed hackers to breach their data perimeter and skip away with over 40 million credit and debit card details. Target was then forced to announce a 46% drop in profits as a result, this just after the usually profitable winter holidays period.
The Target fiasco should have acted as an example to retailers of the dangers of clinging to old terminal software, poor employee practices (employees should not be using PoS units to check personal emails) and poor firewalls.
Unfortunately many vendors have been slow to react to the many warnings and are still operating the less secure magnetic strip reading sales terminals and outmoded firewalls systems.
The latest malware to be discovered is the NitlovePOS. It can capture and ex-filtrate track one and track two payment card data by scanning the running processes of a compromised machine. It then sends this data to a webserver using SSL.
The attackers have created an email campaign targeting job seekers, using emails with subjects as “Any Jobs?”, “Any openings?”, “Internship”, “Internship questions”, “Internships?”, “Job Posting” ,”Job questions” ,”My Resume” ,”Openings?”. The emails come with attachments named CV_[4 numbers].doc or My_Resume_[4 numbers].doc, which are embedded with a malicious macro. The documents are presented as protected documents so as to trick the recipient into enabling the malicious macro.
If enabled, the malicious macro will download and execute a malicious executable from 80.242.123.155/exe/dro.exe. The cyber-criminals behind this operation have been updating the payload. Once it infects a machine the malware will add itself to the registry key - it will then autoload once the machine reboots.
Next generation firewalls are said to be adequately equipped to deal with the likes of NitlovePOS by way of their enforced network segregation. Once unauthorized access is gained, network segmentation can provide effective controls to mitigate the next step of a network intrusion and limit further movement across the network.
The researchers behind the discovery, FireEye, in concluding their report stated:
"Cyber-criminals engaged in indiscriminate spam operations have POS malware available and can deploy it to s subset of their victims. Due to the widespread use of POS malware, they are eventually discovered and detection increases. However, this is followed by the development of new POS with very similar functionality. Despite the similarity, the detection levels for new variants are initially quite low. This gives the cyber-criminals a window of opportunity to exploit the use of a new variant.
We expect that new versions of functionally similar POS malware will continue to emerge to meet the demand of the cyber-crime marketplace."
0 comments:
Post a Comment