Tuesday, 26 May 2015

NitlovePOS - POS terminals being targeted through phishing emails

Cyber-criminals and fraudsters have started targeting employees working on Point-of-Sales terminals in order to get their hands on card details. 

There is now evidence that social engineering and spear phishing emails are actively being used and have become the next attack method against employees who have access to payment applications, virtual terminals and electronic cash registries. 
The new malware is named NitlovePOS [Virus Total Detection Rate] and it targets track one and track two data by scanning the processes running. In other words, it is yet another memory-scraping malware that sends the captured data to a remote server over SSL.

Researchers from the security firm FireEye came across a widespread spam campaign originating from spoofed Yahoo! Mail accounts regarding job enquires that came with an attached resume (Curriculum Vitae) of the candidate. 

The fake resumes were named as named CV_[4 numbers].doc or My_Resume_[4 numbers].doc and found to contain macros waiting to be executed. Once the resume is opened, the macro attempts to download and install malware to the system. In order to trick the user into allowing the execution of the macro, the document claimed to be a “protected document.”

The emails sent,  had a number of different subjects, mostly to avoid being filtered by the Anti-Spam engines:
  • Subject: Any Jobs?
  • Subject: Any openings?
  • Subject: Internship
  • Subject: Internship questions
  • Subject: Internships?
  • Subject: Job Posting
  • Subject: Job questions
  • Subject: My Resume
  • Subject: Openings?
Even thought we haven't seen POS malware spreading thought a spam campaign this doesn't come as a surprise in this fast evolving threat landscape. Security awareness training should be provided to all employees and especially those who have access to the Card Data Environment (CDE). Antivirus needs to be installed and up-to-date and the users must be using accounts with the least privileges. In general, all best security practices must be followed and make sure all systems have gone through system hardening. 

Employees must understand why they must not use the host running the ECR for browsing the web, accessing social media, play games or load files through USB sticks. 

Find more technical details about the NitlovePOS malware here

No comments:

Post a Comment