PoS attacks in 2018

One new actor we have seen engaged in malicious activity on PoS machines in 2018 is a group we have dubbed Fleahopper. Fleahopper has been active since at least July 2017. It is a financially motivated group that appears to be monetizing its victims by stealing information from infected machines running PoS .

In the latter half of 2018, Fleahopper has been observed using the Necurs to infect victims. It does this in two ways: through Necurs bots and through spam email, likely originating from the Necurs . Symantec has observed Fleahopper delivering directly through Necurs bots, where the bots drop from Fleahopper onto machines already infected by Necurs. Machines that are not infected with Necurs may still be infected by Fleahopper through spam that comes from the Necurs botnet.

Spam emails that deliver malware from Fleahopper have been observed with malicious Microsoft .pub files attached. These .pub files download an installer for the malware used by Fleahopper, Trojan.FlawedAmmyy.

The Trojan.FlawedAmmyy RAT is a modified version of the publicly available remote access tool Ammyy Admin (Remacc.Ammyy). Although Trojan.FlawedAmmyy is not believed to be exclusive to Fleahopper, the group has been observed using Trojan.FlawedAmmyy to deliver its tools.

Once they’ve compromised an organization, Fleahopper has been observed dropping a number of files onto machines running POS software. Fleahopper installs a modified legitimate Remote Desktop Protocol (RDP) file onto infected machines running POS software. This gives Fleahopper remote desktop access to the infected machine that is separate from access through malware. Symantec has observed Fleahopper using this access.

Symantec has observed Fleahopper activity on machines in grocery stores, furniture stores, restaurants and a store selling men’s clothing. The group’s activity appears to be spread around the globe, with some activity seen targeting businesses based in the U.S. and the U.K.

Some of the other PoS malware that has been seen used by various groups in the wild in 2018 includes: RtPOS, Prilex, LusyPOS, LockPOS, GratefulPOS, and FindPOS.

Publicly reported attacks

There have been several publicly reported attacks on PoS systems in 2018:

  • RMH Franchise Holdings, an Applebee’s franchisee
  • Canadian restaurant chain Tim Horton’s
  • U.S. restaurant chain Chili’s
  • Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor (these stores have the same parent organization: Hudson’s Bay )

The compromise of Hudson’s Bay Company’s stores and Chili’s has been linked to FIN7. While these were significant compromises—the details of at least 5 million cards were compromised when the Hudson’s Bay Company stores were targeted—there have been no reports so far of PoS attacks this year affecting tens of millions of consumers.

This relative drop in activity in the PoS space compared to previous years could be down to the reasons mentioned above—the increased adoption of chip-and-PIN globally and upset in the FIN7 group. However, it may also indicate that attackers are looking at other ways to make money and get their hands on details—for example, by turning to formjacking.


We first published research on formjacking at the end of September 2018, after a spate of high-profile attacks by the Magecart group. Among Magecart’s targets were Ticketmaster UK, British Airways, Feedify, and Newegg. One of its more recent targets was British electronics kit retailer Kitronik.

Formjacking is a term we use to describe the use of malicious JavaScript code to steal credit card details and other information from payment forms on the checkout web pages of e-commerce sites. It is not a new technique, but in the latter half of 2018, it has garnered a lot of attention due to some large campaigns, many of which have been carried out by Magecart. Recently released research has claimed that Magecart is not just one group—but rather approximately seven groups that are all engaged in similar activity.

Source link


Please enter your comment!
Please enter your name here