14 DAY TRIAL // In a recent report, Los Angeles-based security firm IntelCrawler has revealed that cloud-POS software is vulnerable to attacks that would allow malicious actors access to customer personal identification information.
Cloud-POS software allows retail companies to synchronize POS (point-of-sale) information with a remote server. This allows merchants round the clock web-based access to the data from any device that has a web browser installed.
Apart from being cost-efficient, the advantages of a cloud-based POS system consist in instant centralization of data along with the possibility to create data and have it synchronized across all POS devices in the network.
According to IntelCrawler, a compromised cloud-based POS service permits modifications regarding gift card information. This can be anything from creating new gift cards to altering discount vouchers.
Furthermore, once they gain access to the system, cybercriminals can penetrate employee management sub-systems, which can easily lead to internal fraud.
Named POSCLOUD.Backdoor/Agent, the malicious software is equipped with spyware capabilities, which allow the criminals to steal customer information. Even if it cannot be used by them directly, there is an underground digital market for such details.
The report notes that “the extracted PII is then sold to underground identity thieves and also used for cyber espionage against large number of customers from different countries.”
POSCLOUD.Backdoor/Agent has the capability to download and unpack different modules from the command and control server in order to expand its functionality. Features identified by the security company include interception of forms and credentials “and to detect if the compromised PC has network connection with specific cloud-based POS providers.”
Additionally, the bad actors are able to collect information even if the data is encrypted, thanks to keylogging functionality. In order to do so, the operator has to be working with the software.
In a comment for SC Magazine, CEO of IntelCrawler, Andrew Komarov, says that the malware was identified after a pretty big botnet takedown and he believes it to have been developed in private circles specifically for targeting cloud-based environments in order to collect customer data, credit card information included.
There is no solid information about the identity of the group behind POSCLOUD.Backdoor/Agent, but the company speculates that they are based within the limits of the European Union.
IntelCrawler’s Cyber Threat Intelligence Team has notified the parties they identified as compromised, which consist in retailers and small businesses, and contacted global law enforcement organization, providing them a list with the infected IP addresses.