The 'Nemanja' POS malware is being used to steal payment cards in a worldwide campaign.
The 'Nemanja' POS malware is being used to steal payment cards in a worldwide campaign.

As many as half a million payment cards used in hotels, grocery stores and other business around the world – including in the U.S. – have been compromised by ‘Nemanja,' a recently discovered piece of malware that has infected nearly 1,500 point-of-sale (POS) devices.

The massive, worldwide Nemanja botnet – discovered in March by cyber intelligence company IntelCrawler – includes more than 1,478 hosts in more than 35 countries across the world, including the U.S., UK, Canada, Australia, China, Japan, Israel and Italy, as well as other developing countries.

The botnet is the work of a single group of cyber crooks believed to be located in Serbia, Andrew Komarov, CEO of IntelCrawler, told SCMagazine.com in a Thursday email correspondence, adding that the U.S. – namely New York, California, Washington and Colorado – has been a high priority target.

“It is one of those cases where a group of hackers developed [their] own malware for targeted attacks, with a very clear commercialization scheme,” Komarov said, adding that Nemanja does not appear to be up for sale. “They intercept credit cards from [infected POS devices] and then resell [the data] on black market through their own shops and partners.”

If all intercepted data was sold on underground markets at the going rates, millions of dollars could have been made in the fairly elaborate scheme, which involves creating fraudulent payment cards and laundering money through registered POS and mobile POS devices, Komarov said.

Infecting the targeted POS devices was no simple task.

“In some cases, [the attackers] used a technical way of penetration into the network perimeter, through remote administration channels, in order to install [the] malware, but it was also found that they might have [asked] insiders, or mules, to install this malware during their employment period,” Komarov said.