NitlovePOS Malware Uses Phishing Attacks To Target POS Terminals

By Christine Kern, contributing writer

Social engineering and spear phishing emails are being actively used to target employees who have access to payment applications, virtual terminals, and electronic cash registries, according to cybersecurity experts.

Newly identified “NitlovePOS” was identified by researchers from FireEye, who found it while tracking a campaign in which spam email emanate from bogus Yahoo! Accounts whose subject lines purport to come from individuals interested in internships or job openings.

The FireEye blog explains, “There has been a proliferation of malware specifically designed to extract payment card information from point of sale (POS) systems over the last two years. In 2015, there have already been a variety of new POS malware identified including a new Alina variant, LogPOS, FighterPOS and Punkey.”

According to the blog, “The NitlovePOS malware can capture and ex-filtrate track one and track two payment card data by scanning the running processes of a compromised machine. It then sends this data to a webserver using SSL. We believe the cybercriminals assess the hosts compromised via indiscriminate spam campaigns and instruct specific victims to download the POS malware.”

Nart Villeneuve, a principal threat intelligence analyst, and Daniel Regalado, a senior staff malware researcher, spotted the malware while looking at Word documents they found embedded with a malicious macro. “Despite the similarity, the detection levels for new variants are initially quite low. This gives the cybercriminals a window of opportunity to exploit the use of a new variant,” they wrote.

Though this particular malware does not yet seem to be proliferating, POS systems are particularly vulnerable to attacks because of the valuable and sensitive data they process, and the rash of malware and phishing attacks underscore the necessity of implementing appropriate security protocols to protect this information.