Search This Blog

Powered by Blogger.

Blog Archive

Labels

Beware of emails with subject titles like ‘Internship’ ‘My Resume’

Beware of emails with a subject like: ‘Any Jobs?’, ‘Any openings’, ‘Internship’, ‘Internship questions’, ‘Job questions’ and ‘My Resume’ as researchers have discovered a new strain of point-of-sale (POS) malware being used in a spam campaign.
Beware of emails with a subject like: ‘Any Jobs?’, ‘Any openings’, ‘Internship’, ‘Internship questions’, ‘Job questions’ and ‘My Resume’ as researchers have discovered a new strain of point-of-sale (POS) malware being used in a spam campaign.

The attachment, which said to be a ‘protected document’, looks like a resume but is actually a Word document with an embedded malicious macro, the researchers said.

The researchers FireEye Inc, a U.S. based security company which provides automated threat forensics and dynamic malware protection against advanced cyber threats, such as advanced persistent threats and spear phishing, said that the crooks have launched an attack campaign using emails with such subject titles. The campaign is believed to have started in May 20.

The new malware is called NitlovePoS which can capture and exfiltrate both track one and track two data from payment cards by scanning the running processes of the compromised machine.

“It is just one of several pieces of POS malware that have appeared so far in 2015, which has seen the emergence of malware such as Punkey and FighterPOS,” the researchers wrote in the blog.

They said that the criminals behind the operation have been updating the payload.

The FireEye has observed that the two payloads beacon to the same server from which they are downloaded. They then receive instructions to download additional malware hosted on the server.

"We focused on the “pos.exe” malware and suspected that it may be targeted Point of Sale machines," the researchers wrote in a blog.

“We speculate that once the attackers have identified a potentially interesting host form among their victims, they can then instruct the victim to download the POS malware. While we have observed many downloads of the various EXE’s [hosted] on that server, we have only observed three downloads of “pos.exe,” researchers added.

“NitlovePOS expects to be run with the “-” sign as argument; otherwise it won’t perform any malicious actions,””This technique can help bypass some methods of detection, particularly those that leverage automation.”

When anyone clicks on the email, he/she can see an attachment named “CV_[4 numbers].doc” or “My_Resume_[4 numbers].doc”. If they open the attachment and enabled macro, the malicious macro will download and execute a malicious executable from 80.242.123.155/exe/dro.exe.

The researchers said that there are some solutions, which can protect from point-of-sale malware, like NGFW (next-generation firewalls).


“The main advantage that NGFW (next-generation firewalls) provides for network segmentation is application servers and data can be designated in different segments based on their risk factors and security classifications, with access to them tightly controlled," said Monolina Sen, ABI Research’s senior analyst in digital security,” researchers said in the blog.
Share it: