Small businesses running cloud-based POS software hit with unique 'POSCLOUD' malware

Share this article:
Small businesses running cloud-based POS software hit with unique 'POSCLOUD' malware
Attackers developed 'POSCLOUD' malware to compromise cloud-based POS systems used by small businesses.

Unique malware targeting cloud-based point-of-sale (POS) software has been discovered by researchers with cyber intelligence company IntelCrawler.

The malware is referred to as POSCLOUD.Backdoor/Agent, or simply POSCLOUD, and it targets cloud-based POS software typically used by smaller businesses – such as grocery stores and retailers – operating Internet Explorer, Safari and Google Chrome, according to a Wednesday post.

POSCLOUD malware uses keylogging and stealth screenshot grabbing to monitor customer flow and steal personal data, unlike other standard POS malware, such as Dexter and Alina, which uses RAM-scraping to compromise information, Andrew Komarov, CEO of IntelCrawler, told SCMagazine.com in a Wednesday email correspondence.

“We identified it right after a pretty big botnet takedown and think that it was developed specially by cyber criminals in private [circles] to attack cloud-based environments, and hunt for IDs and customer data, including credit cards,” Komarov said, adding the information is then sold on underground marketplaces to identity thieves.

Several specifically targeted attacks using the malware have been observed so far against businesses in the U.S. and the EU, Komarov said, adding that, due to an ongoing investigation, IntelCrawler can only speculate that an EU-based group of cyber criminals is responsible for the threat. 

“[The attackers carry out] targeted attacks against tellers and [other individuals] that work with these kinds of systems, and infect [the systems] with client-side exploit kits and malware, [such as] POSCLOUD, which is pretty similar to banking trojans,” Komarov said, explaining attackers make use of spear phishing emails spoofed from cloud-based POS services providers.

Additionally, a look at an identified command-and-control server revealed that the attackers use code that not only enables the downloading and unpacking of modules used to intercept forms and credentials, but also checks for a network connection with specific cloud-based POS providers, according to the post.

A fairly wide range of cloud-based POS systems were compromised, Komarov said.

“It shows that the niche of cloud-based technologies for retailers supporting integration with POS equipment is pretty insecure, especially for small businesses, which prefer to use [less expensive] systems in order to reduce costs,” Komarov said, adding he expects to see an increase in the number of these types of attacks.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.

EU conducts massive cyberattack simulation on critical networks

Conducted by the European Union Agency for Network and Information Security, the simulation launched 2,000 attacks on the networks of various critical infrastructure organizations.