Thursday, 10 July 2014 06:40

New Botnet Targeting POS Terminals with Simple Passwords

Written by

Reading time is around minutes.

Point of Sale Terminals are a new target for malicious individuals. At least this is a trend that many security researchers are seeing over the last few months. These systems can be a treasure trove of information for someone looking to make some quick money. On top of that most are designed with simple and generic logons to make use easier. This is a common flaw with many Windows based POS systems, yet the trend continues.

On top of the use of bad login information some companies actually allow these highly sensitive systems to be accessed by remote desktop (RDP) from the internet without restriction. This trend has allowed a group of bad guys to tailor make a bot net to brute force the password from exposed POS systems. The botnet includes about 5600 computer systems in 119 countries around the world.

With it they look for systems responding on port 3389 (the default RDP port) and then try to break into them using a string of common passwords. Once the login attempt is successful the malware stores the login information and moves on to the next steps according to FireEye.

The second part of the infection attempts to gain elevated permissions on the terminal or will try to install itself as a service. From there it can grab payment information including credit card numbers and other details about the transactions. It sends this information back to command and control servers. As of this writing there are around 60 terminals that have been found to be infected. This sounds like a small number and not much to be concerned about, however we have a feeling that the real number is much larger and will continue to grow. There is quite a bit of data that points to POS terminals as being one of the next big targets for attacks.

Tell us what you think in our Forum

Read 2327 times Last modified on Thursday, 10 July 2014 06:41

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.