PoS attacks in 2018
One new actor we have seen engaged in malicious activity on PoS machines in 2018 is a group we have dubbed Fleahopper. Fleahopper has been active since at least July 2017. It is a financially motivated group that appears to be monetizing its victims by stealing information from infected machines running PoS software.
In the latter half of 2018, Fleahopper has been observed using the Necurs botnet to infect victims. It does this in two ways: through Necurs bots and through spam email, likely originating from the Necurs botnet. Symantec has observed Fleahopper delivering malware directly through Necurs bots, where the bots drop malware from Fleahopper onto machines already infected by Necurs. Machines that are not infected with Necurs may still be infected by Fleahopper through spam that comes from the Necurs botnet.
Spam emails that deliver malware from Fleahopper have been observed with malicious Microsoft .pub files attached. These .pub files download an installer for the malware used by Fleahopper, Trojan.FlawedAmmyy.
The Trojan.FlawedAmmyy RAT is a modified version of the publicly available remote access tool Ammyy Admin (Remacc.Ammyy). Although Trojan.FlawedAmmyy is not believed to be exclusive to Fleahopper, the group has been observed using Trojan.FlawedAmmyy to deliver its tools.
Once they’ve compromised an organization, Fleahopper has been observed dropping a number of files onto machines running POS software. Fleahopper installs a modified legitimate Remote Desktop Protocol (RDP) file onto infected machines running POS software. This gives Fleahopper remote desktop access to the infected machine that is separate from access through malware. Symantec has observed Fleahopper using this access.
Symantec has observed Fleahopper activity on machines in grocery stores, furniture stores, restaurants and a store selling men’s clothing. The group’s activity appears to be spread around the globe, with some activity seen targeting businesses based in the U.S. and the U.K.
Some of the other PoS malware that has been seen used by various groups in the wild in 2018 includes: RtPOS, Prilex, LusyPOS, LockPOS, GratefulPOS, and FindPOS.
Publicly reported attacks
There have been several publicly reported attacks on PoS systems in 2018:
- RMH Franchise Holdings, an Applebee’s franchisee
- Canadian restaurant chain Tim Horton’s
- U.S. restaurant chain Chili’s
- Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor (these stores have the same parent organization: Hudson’s Bay Company)
The compromise of Hudson’s Bay Company’s stores and Chili’s has been linked to FIN7. While these were significant compromises—the details of at least 5 million cards were compromised when the Hudson’s Bay Company stores were targeted—there have been no reports so far of PoS attacks this year affecting tens of millions of consumers.
This relative drop in activity in the PoS space compared to previous years could be down to the reasons mentioned above—the increased adoption of chip-and-PIN globally and upset in the FIN7 group. However, it may also indicate that attackers are looking at other ways to make money and get their hands on payment card details—for example, by turning to formjacking.
We first published research on formjacking at the end of September 2018, after a spate of high-profile attacks by the Magecart attack group. Among Magecart’s targets were Ticketmaster UK, British Airways, Feedify, and Newegg. One of its more recent targets was British electronics kit retailer Kitronik.