Cybercriminals Attack PoS Systems to Steal Data of Payment Card

'FireEye', a security firm, recently reported that cybercriminals are targeting point-of-sale (PoS) systems to steal information of payment cards by using thousands of compromised computers.

FireEye first spotted the malware, used in these attacks, in February 2014 and named it BrutPOS and AlienVault later analyzed it in March 2014 but they did not know the full scope of the operation at that time. As of now, researchers don't know distribution system of the malware but they have found a website which serves the threat and believe that attackers might have used special distribution services provided by other cybercriminals.

FireEye says that having infected the computer, the malware connects to a command and control (C2) server and receives a dictionary with passwords and usernames to be used for the brute-force attack. A list of IP addresses is provided for scanning.

After that it moves to check if the port used by the remote desktop protocol (3389) is open on any systems in the given IP range. The brute force starts attacking if it finds an open connection and start sending credentials to C2 server immediately.

FireEye said that it detected five C2 machines and out of them, only two seem to have been set up recently (one towards the end of May and the other in early June) are presently active.

Data collected from these servers indicate that the botnet is made up of 5,622 compromised computers from 119 countries.

Both of them are situated in Russia on the THEFIRST-NET network and other control systems were located in Germany and Iran.

Company analyzed and found that attackers specified a set of 57 IP address ranges out of which 32 were located in the United States and rest were found in other countries including United Kingdom, Netherlands, Spain, Tunisia, South Africa, Uganda and Ukraine.

Researchers of FireEye found information about the RDP servers which were asset for cybercriminals through access to the command and control servers.

FireEye said that it is still too early to attribute the attack to any particular group but it seems the work of an Eastern European group.

» SPAMfighter News - 7/17/2014