Small businesses running cloud-based POS software hit with unique 'POSCLOUD' malware

Share this article:
Small businesses running cloud-based POS software hit with unique 'POSCLOUD' malware
Attackers developed 'POSCLOUD' malware to compromise cloud-based POS systems used by small businesses.

Unique malware targeting cloud-based point-of-sale (POS) software has been discovered by researchers with cyber intelligence company IntelCrawler.

The malware is referred to as POSCLOUD.Backdoor/Agent, or simply POSCLOUD, and it targets cloud-based POS software typically used by smaller businesses – such as grocery stores and retailers – operating Internet Explorer, Safari and Google Chrome, according to a Wednesday post.

POSCLOUD malware uses keylogging and stealth screenshot grabbing to monitor customer flow and steal personal data, unlike other standard POS malware, such as Dexter and Alina, which uses RAM-scraping to compromise information, Andrew Komarov, CEO of IntelCrawler, told SCMagazine.com in a Wednesday email correspondence.

“We identified it right after a pretty big botnet takedown and think that it was developed specially by cyber criminals in private [circles] to attack cloud-based environments, and hunt for IDs and customer data, including credit cards,” Komarov said, adding the information is then sold on underground marketplaces to identity thieves.

Several specifically targeted attacks using the malware have been observed so far against businesses in the U.S. and the EU, Komarov said, adding that, due to an ongoing investigation, IntelCrawler can only speculate that an EU-based group of cyber criminals is responsible for the threat. 

“[The attackers carry out] targeted attacks against tellers and [other individuals] that work with these kinds of systems, and infect [the systems] with client-side exploit kits and malware, [such as] POSCLOUD, which is pretty similar to banking trojans,” Komarov said, explaining attackers make use of spear phishing emails spoofed from cloud-based POS services providers.

Additionally, a look at an identified command-and-control server revealed that the attackers use code that not only enables the downloading and unpacking of modules used to intercept forms and credentials, but also checks for a network connection with specific cloud-based POS providers, according to the post.

A fairly wide range of cloud-based POS systems were compromised, Komarov said.

“It shows that the niche of cloud-based technologies for retailers supporting integration with POS equipment is pretty insecure, especially for small businesses, which prefer to use [less expensive] systems in order to reduce costs,” Komarov said, adding he expects to see an increase in the number of these types of attacks.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Researchers observe more than a hundred connections to 'Backoff' sinkhole

Researchers with Kaspersky Lab were able to sinkhole two command-and-control servers used by certain Backoff point-of-sale malware samples.

Judge lifts stay but Microsoft won't hand over emails during appeal

A judge has lifted a suspension of a previous order compelling Microsoft to hand over customer emails stored on a server in Ireland.

Home Depot investigates possible payment card breach

Home Depot investigates possible payment card breach

Home Depot said on Tuesday that it is working with its banking partners and law enforcement to investigate a possible data breach.