Cybercriminals borrow from APT playbook in attack against PoS vendors

Attackers impersonated point-of-sale system owners in need of technical assistance in a spear-phishing attack targeting PoS vendors

Cybercriminals are increasingly copying cyberespionage groups in using targeted attacks against their victims instead of large-scale, indiscriminate infection campaigns.

This change in tactics has been observed among those who launch attacks, as well as those who create and sell attack tools on the underground market.

A recent example of such behavior was seen in a cybercriminal attack against vendors of point-of-sale systems that researchers from RSA documented last week.

The attackers sent emails to specific vendors impersonating small businesses such as restaurants. This technique, known as spear-phishing, is typically associated with advanced persistent threats (APTs) -- highly targeted, customized attacks whose goal is usually long-term cyberespionage.

"I am emailing you because nobody from your company is returning my calls," one of the malicious emails sent to a European PoS vendor reads. "I am having a problem with two of my terminals, getting random blue screens of death. Please give me a call. I have attached my business card!"

The attachment was a malicious Word document that attempted to exploit two Microsoft Office vulnerabilities -- CVE-2014-1761 and CVE-2012-0158, the RSA researchers said in a blog post. The exploits were obfuscated to evade antivirus detection with a technique that hadn't been seen before, they said.

According to researchers from FireEye, who also analyzed the attack, the exploit's payload was a well-known computer Trojan known as Vawtrak that can steal passwords and digital certificates; log key strokes; take screen shots; and enable remote desktop access to infected systems.

Compromising the computers and networks of PoS vendors can prove highly valuable for attackers, because they can use such access to steal schematics, product configurations, customer lists and, more importantly, maintenance or remote support credentials.

This information could help them compromise PoS terminals for which the vendor also offers technical support. In fact, both the RSA and FireEye researchers found strong links between this attack's infrastructure and recent infections of Poseidon, a malware program designed to steal payment card data from the memory of PoS terminals.

Another interesting aspect of the spear-phishing campaign targeting PoS vendors was the attackers' use of a new document-based exploit kit called Microsoft Word Intruder (MWI), the FireEye researchers said Monday in a blog post.

Exploit kits are attack tools that bundle multiple exploits. They are sold on the underground market, usually on a subscription-based model, and most of them are used to launch mass attacks through compromised websites or malicious ads. But not MWI it seems.

"The distributor of MWI, who is also the author, markets the exploit kit as an APT tool -- capable of directing an attack on a specific individual or firm -- and has warned customers he will revoke the license of anyone caught using the tool for spam."

This is a shift from the traditional cybercriminal attacks where the goal is to compromise as many victims as possible, regardless of who they are or what they do.

It's clear that cybercriminals today engage in both indiscriminate campaigns and targeted attacks, the FireEye researchers said. "The combination of these targeted intrusions with a widely deployed payload can make it difficult for network security monitors to assess the level of risk associated with the threat."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags malwareintrusionFireEyersaExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Lucian Constantin

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Family Friendly

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Stocking Stuffer

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?