Point-of-sale malware evolves to target travellers

Evolutions to the NewPosThings malware family suggest travellers are its new target, according to security researchers.

NewPosThings was uncovered last September by Arbor Networks, which said it uses memory scraping processes to find credit card data on point of sale (PoS) systems, before sending the information back to a central server.

Last week, Trend Micro blogger Jay Yaneza said the company had traced suspicious traffic back to two unnamed US airports.

Yaneza revealed that recent malware attempts to connect to NewPosThings' control hub were linked to IP addresses associated with the unnamed airports.

Combined with reports last month of a credit card breach at Los Angeles International Airport (LAX), he argued there appeared to be a trend towards PoS attackers targeting travellers.

“No matter which country, airports represent one of the busiest establishments, where there are transactions being made all year round,” he wrote.

“This further reinforces the fact that PoS malware, and the threat actors behind it, may have ... matured to branch out to targets other than large retailers or small merchants.”

Trend Micro also found variants of the malware that targeted 64-bit Windows systems and higher, as opposed to earlier iterations of NewPosThings that were compatible with 32-bit versions.

“Similar to the previous 32-bit version reported last year, the 64-bit sample is a multifunction Trojan that includes added functionalities and routines,” Yaneza wrote.

“These include RAM scraper capabilities, keylogging routines, dumping virtual network computing (VNC) passwords, and information gathering.”

In recent months, researchers have detected other noticeable changes in the malware, including that the latest variant of NewPosThings, version 3.0, disables security warnings on systems and uses custom packers with added anti-debugging methods. 

Christopher Budd, global threat communications manager at Trend Micro, said  “in a post-Target world, anything that takes a credit card is going to be something that attackers are going to look at” as a possible attack vector.

Cybercriminals also take advantage of the fact that many consumers “suffer from idea compartmentalisation,” not considering that card terminals at the last airport they travelled through, may be just as appealing, if not more, to credit card data thieves as those belonging to big box retailers.

“That's why PoS attacks are so viable right now, because from an attacker's point of view, [these avenues] are nearly as attractive as PCs,” Budd said.