In case the coverage of last year’s Target breach did not drive this point home: Criminals are very interested in retailers’ Point of Sale (PoS) machines. Because so many credit card numbers pass through these systems, and they are often insufficiently guarded, criminals find them a very low-hanging fruit for theft. Recently, a new type of malware has been found that specifically tries to break into PoS machines. ESET detects this threat as Win32/BrutPOS.A.
The idea behind BrutPOS is that it tries to brute-force its way into PoS machines by trying a variety of (overused) passwords in order to log in via Remote Desktop Protocol (RDP). It is unclear at this time how this malware is being spread, but it is likely just one component of an attacker’s toolkit – that is to say, it is probably being used in concert with other malware, possibly depending on the defenses (or lack thereof) on the machines being attacked. Once the machine has been breached, the trojan installs a “RAM Scraper” which collects credit card numbers from the memory of the PoS machine and sends them back to the attackers via FTP. Many of the systems on which this malware has been found belong to small businesses, which are particularly desirable targets for such theft.
If you have a PoS machine, there are a few quick things you can do to help protect these systems from this particular type of attack:
There are a variety of other things you can do to help protect your PoS machines, which are much the same measures as you would take to protect any other machine on the Internet; including regularly updating software and using security software. This post by the US-CERT goes into more details, specific to administering PoS systems.
This is a good reminder that any machine that connects to the Internet can and should be protected, and that the techniques for doing so are basically the same, regardless of operating system. Once you learn good security hygiene, you can use the same basic principles on any system you administer.
Author Lysa Myers, ESET