Sign in / up

back to article ATTACK of the Windows ZOMBIES on point-of-sale terminals

Security watchers have spotted a fresh Windows-based botnet that attempts to hack into point-of-sale systems. Cyber threat intelligence firm IntelCrawler reports that the “@-Brt” project surfaced in May through underground cybercrime forums. The malware can be used to brute-force point-of-sale systems and associated networks, …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Alister

    IntelCrawler strongly recommends that strengthen passwords used for POS terminals, as well as to monitor suspicious incoming network traffic.

    Trouble is, most of these POS are installed in places where there is no established IT infrastructure - hung off the end of a broadband connection in a shop somewhere - so the likelihood of there being any method of monitoring traffic is remote, and the password choice is down to some shop manager or owner.

    2 0 Reply
    1. Anonymous Dutch Coward
      Reply Icon

      Remote access

      Ehrm, maybe I'm dim but if you can access the box via RDP/VNC/PCAnywhere then you should be able to change the p/w as well, right?

      (Of course, with a chance of locking yourself out etc etc but still)

      0 0 Reply
  2. Rabbit80

    Surely an easy fix for this...

    Why hasn't RDP been patched to only allow a certain number of login attempts / min.. My car stereos' have done this (With the security code) since as long as I can remember!

    4 0 Reply
    1. dotdavid
      Reply Icon

      Re: Surely an easy fix for this...

      A good question. When I ran a Windows VPS I was getting so many opportunistic skids attempting to log in with "administrator"/[generated_password_1_through_infinity], I ended up disabling the administrator account as there was no obvious way to blacklist an IP for an hour or so after X failed logins. It really didn't give me much confidence that the server would stay secure.

      0 0 Reply
      1. Rabbit80
        Reply Icon

        Re: Surely an easy fix for this...

        Yup.. we have seen it on our Amazon AWS server.. fortunately, it is possible to firewall it in such a way that only specified IP addresses can log in! (That's possible using advanced firewall in Windows so long as you know what to do)

        1 0 Reply
    2. NeilPost Silver badge
      Reply Icon

      Re: Surely an easy fix for this...

      Been able to do this since Windows NT 3.51.......... It's just a case of *actually doing* it.

      0 1 Reply
  3. Stevie

    Bah!

    "IntelCrawler strongly recommends that strengthen passwords used for POS terminals, as well as to monitor suspicious incoming network traffic"

    Or, and I'm just spitballing off the top of my head here, stop allowing updates to POS software across the public internetworks of the world.

    Because it's a fucking cash register, not a light bulb or a loudspeaker where internet connectivity is self-evidently essential to the devices' proper working.

    6 2 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Bah!

      So you have a network of say 100 POS terminals across disparate locations which are regularly uploading their sales figures to a central BI system and they are being reconfigured to allow new employees access, or change their barcode library or for-sale items and this should not be networked and done form a remote central location?

      Often using a VPN is the only option as most people can't afford private leased links to each location and they often sit on a much larger part of the company network.

      3 1 Reply
      1. Steve Evans
        Reply Icon

        Re: Bah!

        The more sensible configuration I've seen in the big wide world, is to have the POS devices phone home at set intervals/times to the head office, where there *is* a real IT team.

        So no inbound connections to the POS device is permitted. This also means the POS devices can sit on a LAN with everything else, and not require their own line.

        1 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Bah!

          Not sure about everywhere, but in the business I own, one of the POS devices is able to take over as master in case the server has problems. So it at least would require the ability to accept incoming connections from the other POS devices, and thus still need to be on a separate network.

          I suspect that some people don't obey the "separate network" mandate and have POS devices connected to a wireless router. Maybe PCI compliance won't let them do that anymore, but I'm sure it was often done in the past.

          0 0 Reply
        2. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Bah!

          "The more sensible configuration I've seen in the big wide world, is to have the POS devices phone home at set intervals/times to the head office, where there *is* a real IT team."

          Which system is that then, never seen it? I mean, how would you troubleshoot the device? Wait for the phone home slot and then quickly get in before it drops the connection again?

          Just secure the things against unauthorised access, the same as you do a PC on your network, your web servers etc. No sensible configuration requires waiting for the 'phone home slot' to come around before the devices can be accessed, not in the real world.

          0 0 Reply
  4. NeilPost Silver badge

    Chip and PIN

    Yet another reason US banks need to stop resisting Chip and PIN, and PCI/DSS being implemented - works very well in Europe, where Card Scraping is almost unheard of, as card details are masked or point-to-point encrypted.PoS terminal <--> Bank Merchant Acquirer. After all, PCI/DSS in Europe is advocated for by the EMV Consortium - members - Mastercard and Visa International.

    0 1 Reply
    1. waldo kitty
      Reply Icon

      Re: Chip and PIN

      NeilPost:Yet another reason US banks need to stop resisting Chip and PIN, and PCI/DSS being implemented - works very well in Europe, where Card Scraping is almost unheard of [...]

      perhaps you missed this little bit'o'news from yesterday??

      http://www.theregister.co.uk/2014/07/09/teenytiny_skimmer_found_in_gullets_of_atms/

      seems these devices are predominant in Europe...

      0 0 Reply
  5. jcitron

    I don't blame the end-user so much because they are just that - end users who usually have no clue when it comes to data security. The VAR and system integrator that sells these POS network devices should educate the users and enforce secure passwords. This may mean a bit more work for the VAR consultant, but in the end everyone wins.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like