Small businesses running cloud-based POS software hit with unique 'POSCLOUD' malware

Share this article:
Small businesses running cloud-based POS software hit with unique 'POSCLOUD' malware
Attackers developed 'POSCLOUD' malware to compromise cloud-based POS systems used by small businesses.

Unique malware targeting cloud-based point-of-sale (POS) software has been discovered by researchers with cyber intelligence company IntelCrawler.

The malware is referred to as POSCLOUD.Backdoor/Agent, or simply POSCLOUD, and it targets cloud-based POS software typically used by smaller businesses – such as grocery stores and retailers – operating Internet Explorer, Safari and Google Chrome, according to a Wednesday post.

POSCLOUD malware uses keylogging and stealth screenshot grabbing to monitor customer flow and steal personal data, unlike other standard POS malware, such as Dexter and Alina, which uses RAM-scraping to compromise information, Andrew Komarov, CEO of IntelCrawler, told SCMagazine.com in a Wednesday email correspondence.

“We identified it right after a pretty big botnet takedown and think that it was developed specially by cyber criminals in private [circles] to attack cloud-based environments, and hunt for IDs and customer data, including credit cards,” Komarov said, adding the information is then sold on underground marketplaces to identity thieves.

Several specifically targeted attacks using the malware have been observed so far against businesses in the U.S. and the EU, Komarov said, adding that, due to an ongoing investigation, IntelCrawler can only speculate that an EU-based group of cyber criminals is responsible for the threat. 

“[The attackers carry out] targeted attacks against tellers and [other individuals] that work with these kinds of systems, and infect [the systems] with client-side exploit kits and malware, [such as] POSCLOUD, which is pretty similar to banking trojans,” Komarov said, explaining attackers make use of spear phishing emails spoofed from cloud-based POS services providers.

Additionally, a look at an identified command-and-control server revealed that the attackers use code that not only enables the downloading and unpacking of modules used to intercept forms and credentials, but also checks for a network connection with specific cloud-based POS providers, according to the post.

A fairly wide range of cloud-based POS systems were compromised, Komarov said.

“It shows that the niche of cloud-based technologies for retailers supporting integration with POS equipment is pretty insecure, especially for small businesses, which prefer to use [less expensive] systems in order to reduce costs,” Komarov said, adding he expects to see an increase in the number of these types of attacks.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.