“Nemanja” Botnet Identified by IntelCrawler – Over a Thousand Point-of-Sales, Grocery Management and Accounting Systems Are Compromised All Over the World
IntelCrawler, a cyber-threat intelligence company based in Los Angeles, has been investigating various electronic crimes related to the Point-of-Sale (POS) niche for quite a long time, collaborating with threat intelligence and fraud detection teams of major financial institutions worldwide. Criminal gangs worldwide are illegally accessing retailers and small business infrastructures, having significant impact on all parties involved in credit card acceptance.
Pic.1 – Infected Point-of-Sale terminals in various small businesses and retailers became one of the key sources of compromised credit cards for modern cybercriminals
Around March 2014, IntelCrawler identified one of the biggest botnets, called “Nemanja,” based on compromised POS terminals, accounting systems and grocery management platforms. The assigned name is related to potential roots of bad actors with similar nicknames from Serbia. It included more than 1478 infected hosts from Argentina, Australia, Austria, Bangladesh, Belgium, Brazil, Canada, Chile, China, Czech Republic, Denmark, Estonia, France, Germany, Hong Kong, India, Indonesia, Israel, Italy, Japan, Mexico, Netherlands, New Zealand, Poland, Portugal, Russian Federation, South Africa, Spain, Switzerland, Taiwan, Turkey, UK, USA, Uruguay, Venezuela and Zambia.
The analyzed botnet has affected various small businesses and grocery stores in different parts of the world, making the problem of retailers’ insecurity more visible after past breaches. Past incidents showed high attention from modern cybercriminality to retailers and small business segments having Point-of-Sale terminals. We predict an increasing number of new data breaches in both sectors in the next few years, as well as the appearance of new types of specific malicious code targeted at retailers’ backoffice systems and cash registers. The nature of POS-related crimes can be different from country to country, but it shows the insecurity of modern payment environments. The bad actors combine several attack vectors in order to infect operators’ stations – “drive-by-download” and remote administration channels hacking.
Card associations should expect a trend of POS infections in developing countries in the near future, because of high significant lag in information security of retailers. Current statistics also point at not falling interest to countries with high social grades and developed payment industries, such as AUS, EU, US, CA and UK. IntelCrawler predicts that very soon modern POS malware will become a part of RAT/Trojans and other harmful software acting as a module, which may be used along with keylogger and network sniffing malware.
Pic.2 – Compromised Point-of-Sale by targeted malware with keylogger and software detection options
The “Nemanja” case has shown that cybercriminals started to join POS malware with keyloggers in order to intercept credentials of various backoffice systems and databases in order to gain an access to payment or personal identifiable data. During the investigation on the “Nemanja” botnet, over a thousand infected compromised POS terminals, accounting systems, and grocery management systems were identified, which helped in collecting various fingerprints characterizing the victims:
- BEpoz Point of Sale System
- Caisse PDV
- CSI POS Ver 1.5
- CxPOS V8.1 - Cybex Systems POS
- Figure Gemini POS
- Gestão Comercial + POS VISION
- GOLDSOFT 2000 Accounting System
- GESTPOS 2000
- Integrated POS Software Solutions – H&L Australia
- NCR WinEpts Software Solution
- QuickBooks Pro Accounting Software
- RSAPOS - Retail Systems
- RETAIL for Microsoft Windows v.2006.1211.0.46
- RetailIQ POS
- Restaurant Manager
- Sage Retail 2013.03
- SICOM Systems Restaurant Management Console
- Suburban Software System
- Visual Business Retail - Electronic Point Of Sale
- WAND POS17
- WinREST FrontOffice
- WinSen Electronic Manager
Note: The provided list of examples of compromised systems with their fingerprints in the analyzed botnet doesn’t mean that these software products have vulnerabilities or they are insecure for further use. This example shows that famous retailers, accounting and grocery management systems used in different countries were affected by found type of targeted POS malware.
The details from “Nemanja” botnet were added to the IntelCrawler Intelligence Platform and “PoS Malware Infection Map” (PMIM) and are provided as security feed for card associations, payment providers and various vetted parties, consisting of compromised merchants, IP addresses of infected terminals and additional information for fraud prevention.
Compromised Point-of-Sale Terminals Feed comprises a list of compromised payment terminals and network hosts installed in various small businesses and retailers. IntelCrawler has unique experience in investigations of Point-of-Sales related e-Crimes and aggregates various information about the distribution of malware targeted at RAM Scrapping, such as Alina, BlackPOS, Dexter, JackPOS, VSkimmer and its modifications. Some part of this data is illustrated on PMIM with details on approximate number of compromised credit cards, geographies and IP addresses of identified infected network hosts. The feed can be delivered through secure customers’ portal or encrypted e-mail notifications in various formats (XML, JSON, CVS, RAW). This feed is a part of AML & Fraud Intelligence, a block of services targeting comprehensive analysis of potential risks to financial institutions, insurance companies, investments groups, private companies and corporations in terms of money laundering and fraud risks. IntelCrawler welcomes security researchers, threat intelligence analysts, fraud investigations, industry leaders, security vendors, card associations and international LEA for beneficial collaboration and information exchange using secure ways of communications. Contact our team by e-mail at: firstname.lastname@example.org (PGP).