On top of the use of bad login information some companies actually allow these highly sensitive systems to be accessed by remote desktop (RDP) from the internet without restriction. This trend has allowed a group of bad guys to tailor make a bot net to brute force the password from exposed POS systems. The botnet includes about 5600 computer systems in 119 countries around the world.
With it they look for systems responding on port 3389 (the default RDP port) and then try to break into them using a string of common passwords. Once the login attempt is successful the malware stores the login information and moves on to the next steps according to FireEye.
The second part of the infection attempts to gain elevated permissions on the terminal or will try to install itself as a service. From there it can grab payment information including credit card numbers and other details about the transactions. It sends this information back to command and control servers. As of this writing there are around 60 terminals that have been found to be infected. This sounds like a small number and not much to be concerned about, however we have a feeling that the real number is much larger and will continue to grow. There is quite a bit of data that points to POS terminals as being one of the next big targets for attacks.
Tell us what you think in our Forum