A new malware botnet is using thousands of compromised computers to launch attacks on point-of-sale systems with the intent to steal card data, says a warning from security company FireEye.

This type of brute force malware technique confirms that such attacks against small merchants in the U.S. will intensify, security experts say.

The BrutPOS botnet scans specific Internet protocol address ranges from remote desktop protocol servers that have weak or default passwords, FireEye says in a blog.

Upon discovering the botnet and its control servers, FireEye says the criminals behind the malware launch had managed to access 60 point-of-sale systems during a two-week period through weak user names such as "administrator" and passwords as simple as "pos" or "password1." 

Milpitas, Calif.-based FireEye calls these types of standard attacks against weak passwords for remote administration "a significant threat."

While breaches of retailers' systems garner much attention in the payments industry and public eye, not enough attention focuses on the fact that a third of those breaches come about because the business continues to use a weak default password in the remote administration software that vendors typically install, FireEye says.

"The criminals want to know what ports to look at to determine which ones are transferring payments data," says Al Pascual, senior analyst for Javelin Strategy & Research. "But what they want to get are machines that allow some kind of remote access."

Once they have entered computers with remote access, they use the brute force malware to attack commonly used login credentials, Pascual says.

"It basically automates the whole process and it doesn't take any effort on the part of the criminal because it's a set-it and forget-it system," he adds.

These types of botnets aren't likely to result in a major breach such as Target's 2013 holiday season incident, but it does give criminals access to "the low-hanging fruit" of the millions of small business point-of-sale systems in the country, Pascual says.

Past research has shown that even before the Target incident, criminals were picking up their attacks on smaller merchants, says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.

"Now, in the wake of Target, that almost hurts your [security] cause with the small merchants because it kind of reinforces some of their belief that it is a problem for larger retailers," Conroy says.

BrutPOS may not be any more frightening than other botnets trying to infiltrate computers, but it's another tool for criminals and illustrates how effective they are at developing and sharing new malware strains, Conroy says.

Both Conroy and Pascual say the Verizon 2014 PCI Compliance Report shows merchants are making progress, but have a long way to go to resolve some basic security issues.

Verizon says only 11.1% of hundreds of companies worldwide met all of the PCI requirements in 2013, but it represents an increase of 3.6% over 2012. The number of companies compliant in at least 80% of the PCI controls increased to 82% in 2013, a significant jump from just 32% in 2012.

However, only 51% of companies met all of the demands of the PCI requirement not allowing use of a vendor's default password or security parameters. Verizon's investigations revealed that only 38.8% of organizations suffering breaches between 2011 and 2013 were following the no-default-password requirement.

The push to EMV chip-based smart cards in the U.S. over the next few years will provide opportunities for acquirers to educate small merchants about security weaknesses, but they should all operate under a basic premise, Conroy says.

"Merchants of all sizes just need to assume they will be breached and approach their security with that assumption," she adds. "A breach can put a small merchant out of business."

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry