Botnet to POS data loss how?

It appears that POS data loss may be part of a Botnet attack according to Computerworld and FireEye researchers.

Botnets appear to be set up to scan the networks for easily accessed RDP sessions (Remote Desktop access). If the Bots can break in forcibly figure out ID and Passwords they report back the information to a repository on a server.  Later this data is used to try to gain access to the POS system. If successful the system can then be infected with a program to capture sales information, especially credit card details.

In a post from FireEye the attacks appear to be looking for specific brands of POS Systems.

The article from ComputerWorld points out that Target(TGT) had over 40 million payment transactions compromised.  The software installed on these types of POS termintals is a memory reading software also known as a scraper.

A second group IntelCrawler also monitored the BrutPOS malware and believe it is a criminal underground responsible for these attacks.  In the later research it also looks for systems that have softwarelike VNC, PC Anywhere which are remote protocols.

The bad actors distribution of the “@-Brt” botnet allows for active scanning of multiple IPv4 network ranges of specific TCP ports and parallel brute forcing of available remote administration protocols such as VNC, Microsoft RDP and PCAnywhere. The identified malware supports multithreading, which allows to speed-up the process of gaining unauthorized access to merchants for further data theft. IntelCrawler has also detected within the bot the concentration of some compromised merchants and the massive IPv4 scanning in network ranges of famous US Internet Service Providers such as AT&T Internet Services, Sonic.net and SoftLayer Technologies. There are several modifications of the “@-Brt” project, supported by several cybercriminals, using a bit different approaches to parallelism, potentially written by different authors for speed and timeouts optimization. After monitoring and infiltrating the bot network, IntelCrawler’s analysts have figured out the most commonly used passwords for compromised Point-of-Sale terminals and geographical distribution of the infected hosts for cyberattacks

.

For more information about the @-Brt bots check out the post from IntelCrawler.

Please read the entire post from ComputerWorld “Botnet aims brute-force attacks at point-of-sale systems” for more details and the associated links.

Why am I posting this because many small retailers may be affected by this issue and not even be aware. But a few of the POS systems are used by many companies I have done business with as a customer and as a technician. So the key thing in every story so far is to revisit all Remote Passwords and ensure they are more difficult to guess.  This type of Botnet does not only have to be used against POS systems but it can be used to compromise any computer with to easy of a remote password.

Second suggestion is to change passwords on a regular basis every 90 days is generally a standard that was used by Microsoft.

Make sure you are backing up your data. Contact us for information about Carbonite Solutions that are right for you. Or, go online and purchase directly at http://partners.carbonite.com/e2computers

Security news from the team at E2 Computers in Tarpon Springs and on the web at www.end2endsupport.com.

Tags: aloha, bot, E2 Computers, pos, RDP, security