A new malware threat scans the Internet for POS systems and tries to access them using common usernames and passwords.
Thousands of compromised computers are actively trying to break into point-of-sale (POS) systems using brute-force techniques to guess remote administration credentials.
The computers are part of a botnet, dubbed BrutPOS by researchers from security firm FireEye, that has been active since at least February. The botnet scans attacker-specified IP (Internet Protocol) address ranges for systems that accept Remote Desktop Protocol (port 3389) connections.
When an RDP service is identified, the BrutPOS malware attempts to log in with user names and passwords from a predefined list.
"Some of the usernames and passwords indicate that the attackers are looking for specific brands of POS systems such as Micros," the FireEye researchers said Wednesday in a blog post.
Micros Systems is based in Columbia, Maryland, and provides software applications, services and hardware systems, including POS terminals, to the hospitality and retail industries.
If the BrutPOS malware successfully guesses the remote access credentials of an RDP-enabled system it sends the information back to a command-and-control server. Attackers then use the information to determine whether the system is a POS terminal and if it is, to install a malware program that's designed to extract payment card details from the memory of applications running on it....
Data collected from these servers suggests that the botnet is made up of 5,622 compromised computers from 119 countries. The researchers identified 60 RDP-enabled systems -- most likely POS terminals -- that have been compromised, 51 of which are based in the U.S.
|