New POS Malware Steals Passwords for Remote Access; Breaching Retailers
Retail data breaches are up 10 percent, as Mandiant's M-Threat report found. Attackers are continuing to cash in by using malware designed especially for breaching retailer systems, stealing customer payment data, and retailer login credentials.
There’s a new malware family targeting point-of-sale systems used by retailers, named PoSeidon, as described by Cisco’s Security Solutions. The malware installs a keylogger and scans POS device memory for credit card numbers, which are then sent to a command and control server.
The keylogger can also be used to steal passwords, as CSOOnline.com reported. Specifically, the keylogger steals credentials for LogMeIn, the remote access application that allows a user to access a computer’s desktop, apps and files remotely. By deleting encrypted LogMeIn passwords and user profiles stored in the system registry, it forces users to type them in again, allowing attackers to steal them.
But this isn’t the first malware attack targeting LogMeIn and other remote access application credentials - the retail malware dubbed “Backoff” by US-CERT (United States Computer Emergency Readiness Team) also targets applications like Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop, Pulseway and LogMeIn.
Remote attackers attempt to brute-force the login feature of these apps, and once they gain access to administrator or privileged accounts, they would install POS malware and steal customer data.
PoSeidon is designed to survive system reboots, and it updates itself automatically. It also communicates stolen data directly to attacker servers, making it faster and easier for attackers to pull off a successful heist before being detected by a retailer’s security or IT team.
One of the main commonalities between each type of POS malware includes the compromise of POS terminals through stolen or brute-forced remote access credentials, since most are configured for remote technical support, suggesting that the associated user account has privileged or administrative permissions, making their credentials even more attractive to attackers, as ComputerWorld.com reported.
As a retailer, you can put less value on a password by using two-factor authentication. By adding another layer of security to your primary username and password, you can ensure your users must use a personal device like a smartphone to log in.
Modern two-factor solutions can be easily integrated into existing web applications, allowing users to log in securely with minimal disruption, while keeping remote attackers out. Learn more about how to protect against modern attacks in our detailed guide.
Ideal for CISOs, security, compliance and risk management officers, as well as IT admins and professionals, our free eBook: A Modern Guide to Retail Data Risks provides guidance on:
- New risks to the retail industry presented by cloud, mobile and Bring Your Own Device (BYOD)
- Business and compliance drivers for strengthening authentication security
- How outdated security solutions can no longer effectively protect retailers and consumers alike
- How implementing a modern two-factor authentication solution can work to protect the new IT model