Cybercriminals borrow from APT playbook in attack against PoS vendors

Attackers impersonated point-of-sale system owners in need of technical assistance in a spear-phishing attack targeting PoS vendors

Cybercriminals are increasingly copying cyberespionage groups in using targeted attacks against their victims instead of large-scale, indiscriminate infection campaigns.

This change in tactics has been observed among those who launch attacks, as well as those who create and sell attack tools on the underground market.

A recent example of such behavior was seen in a cybercriminal attack against vendors of point-of-sale systems that researchers from RSA documented last week.

The attackers sent emails to specific vendors impersonating small businesses such as restaurants. This technique, known as spear-phishing, is typically associated with advanced persistent threats (APTs) -- highly targeted, customized attacks whose goal is usually long-term cyberespionage.

"I am emailing you because nobody from your company is returning my calls," one of the malicious emails sent to a European PoS vendor reads. "I am having a problem with two of my terminals, getting random blue screens of death. Please give me a call. I have attached my business card!"

The attachment was a malicious Word document that attempted to exploit two Microsoft Office vulnerabilities -- CVE-2014-1761 and CVE-2012-0158, the RSA researchers said in a blog post. The exploits were obfuscated to evade antivirus detection with a technique that hadn't been seen before, they said.

According to researchers from FireEye, who also analyzed the attack, the exploit's payload was a well-known computer Trojan known as Vawtrak that can steal passwords and digital certificates; log key strokes; take screen shots; and enable remote desktop access to infected systems.

Compromising the computers and networks of PoS vendors can prove highly valuable for attackers, because they can use such access to steal schematics, product configurations, customer lists and, more importantly, maintenance or remote support credentials.

This information could help them compromise PoS terminals for which the vendor also offers technical support. In fact, both the RSA and FireEye researchers found strong links between this attack's infrastructure and recent infections of Poseidon, a malware program designed to steal payment card data from the memory of PoS terminals.

Another interesting aspect of the spear-phishing campaign targeting PoS vendors was the attackers' use of a new document-based exploit kit called Microsoft Word Intruder (MWI), the FireEye researchers said Monday in a blog post.

Exploit kits are attack tools that bundle multiple exploits. They are sold on the underground market, usually on a subscription-based model, and most of them are used to launch mass attacks through compromised websites or malicious ads. But not MWI it seems.

"The distributor of MWI, who is also the author, markets the exploit kit as an APT tool -- capable of directing an attack on a specific individual or firm -- and has warned customers he will revoke the license of anyone caught using the tool for spam."

This is a shift from the traditional cybercriminal attacks where the goal is to compromise as many victims as possible, regardless of who they are or what they do.

It's clear that cybercriminals today engage in both indiscriminate campaigns and targeted attacks, the FireEye researchers said. "The combination of these targeted intrusions with a widely deployed payload can make it difficult for network security monitors to assess the level of risk associated with the threat."

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecuritydata breachFireEyeExploits / vulnerabilitiesmalwarersa

More about APTFireEyeMicrosoftRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place