Point of Sale - Credit Card Swipe
Image from Shutterstock.com

A number of retailers have point of sale machines that can also be used for Internet connectivity by staff. The advantage is floor workers can lookup inventory and pricing of their company’s products through its Web site, helping customers find things fast.

The disadvantage is it creates another way attackers can elbow their way into the POS system and steal credit/debit card information through various means including spam. That appears to be the rationale behind an attack discovered last week by security vendor FireEye — a POS exploit hidden in a Microsoft Word document purporting to be a resume.

Dubbed NitlovePOS, the assumption is attackers are looking for sales staff — and possibly managers — who use POS terminals for cruising the ‘net. Email messages with subject lines such as “Any openings?”, “Internship”, “Job Posting” and “My Resume” include a Word document with a malicious macro. To trick the recipient into enabling the malicious macro, the document claims to be a “protected document.”

The macro tells the host computer to download a malware bundle that includes the NitlovePOS exploit which can capture through memory scraping track one and track two payment card data, then sends the data to a webserver in St. Petersburg, Russia using SSL.  The malware ensures that it will run after every reboot by adding itself to the Run registry key.

It’s important to note that the malware bundle the Word macro downloads contains more than one exploit, so the campaign isn’t necessarily targeted at POS machines alone. That means any employer has to be careful handling unsolicited resumes on any PC.

But because of Nitlove staff have to be continually reminded that a POS machine should only be used for corporate purposes.

CSOs have to ensure their organization has email attachment filtering capabilities that are up to date.

In its 2015 threat report, security vendor Websense noted that macro viruses are on the rise. It identified over three million macro-embedded email attachments in just the last 30 days of 2014.