New spam campaign includes POS exploit delivered via resumes

A number of retailers have point of sale machines that can also be used for Internet connectivity by staff. The advantage is floor workers can lookup inventory and pricing of their company’s products through its Web site, helping customers find things fast.

The disadvantage is it creates another way attackers can elbow their way into the POS system and steal credit/debit card information through various means including spam. That appears to be the rationale behind an attack discovered last week by security vendor FireEye — a POS exploit hidden in a Microsoft Word document purporting to be a resume.

Dubbed NitlovePOS, the assumption is attackers are looking for sales staff — and possibly managers — who use POS terminals for cruising the ‘net. Email messages with subject lines such as “Any openings?”, “Internship”, “Job Posting” and “My Resume” include a Word document with a malicious macro. To trick the recipient into enabling the malicious macro, the document claims to be a “protected document.”

The macro tells the host computer to download a malware bundle that includes the NitlovePOS exploit which can capture through memory scraping track one and track two payment card data, then sends the data to a webserver in St. Petersburg, Russia using SSL.  The malware ensures that it will run after every reboot by adding itself to the Run registry key.

It’s important to note that the malware bundle the Word macro downloads contains more than one exploit, so the campaign isn’t necessarily targeted at POS machines alone. That means any employer has to be careful handling unsolicited resumes on any PC.

But because of Nitlove staff have to be continually reminded that a POS machine should only be used for corporate purposes.

CSOs have to ensure their organization has email attachment filtering capabilities that are up to date.

In its 2015 threat report, security vendor Websense noted that macro viruses are on the rise. It identified over three million macro-embedded email attachments in just the last 30 days of 2014.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web