Researchers with Trend Micro have observed a new point-of-sale (POS) malware threat – identified as GamaPoS – being distributed predominately in the U.S. and Canada as part of a spam campaign involving the Andromeda botnet.
According to a Thursday post by Jay Yaneza, threat analyst with Trend Micro, attackers are turning systems into Andromeda bots by sending out mass phishing emails containing macro-based malware attachments or links to compromised websites hosting exploit kits.
The idea is to distribute as many Andromeda backdoors as possible in the hopes of catching some POS systems and infecting them with GamaPoS. As of Friday, Trend Micro had observed hundreds of GamaPoS infections, Yaneza told SCMagazine.com in a Friday email correspondence.
“Note that just [fewer than] four percent of those affected by Andromeda were affected by GamaPoS,” Yaneza said, adding, “The domains involved were registered on May 2 and the campaign spun up starting May 6 and was running through mid-July.”
In the post, Yaneza wrote that GamaPoS has affected consumer electronics companies, furniture wholesalers, restaurants, home healthcare groups and various other organizations in 13 U.S. states, including California, Colorado, Florida, New York, South Carolina and Texas.
Yaneza noted that GamaPoS – RAM scraping malware that targets Visa, Discover, Maestro and other cards – is the first POS threat to be coded using the .NET framework.
“We can attribute this development to the fact that it is easier to create malware in the .NET platform and, now that Microsoft made it available as an open-source platform, more developers are expected to use it for their applications,” Yaneza wrote. “This makes .NET a viable platform to use for attacks.”
To protect against these types of threats, Yaneza wrote that IT managers need to stay on top of patching and updating. He added that organizations should be using effective spam filters and enforcing strong security policies based on how email is being used.