Hotel Front Desk Systems Targeted with Malware
Recent reports highlight the growing threat of malware specialization. Rather than taking a shotgun approach, malware designers are targeting specific situations for greatest impact. Web Browser security developer Trusteer found an advertisement on a black market forum for a custom malware designed to infect hotel front desk computers and steal customer credit cards.
Hello all, I’m offering Hotel RATs. In other words: A virtual skimmer.
Benefits of a Hotel (Remote Access Trojan Connection) is an infected front desk computers on which the hotel has its software that reads the number on the cc and spits out the information on the screen and it’s keyloggable if you keylog every stroke.
I’m offering this method for $280, guaranteed US/Canada/UK connections and a method on how to obtain them on your own. From showing you how to setup your RAT (which includes a free crypt – fully undetectable to all Antiviruses) along with selling you the tutorial on how to Social Engineer/Manipulate the front desk manager on the phone via VoIP.
I can prove my legitimacy and the accuracy of this method. PM me if you are interested.
My view:
Much has been made of the author's claim to be able to bypass all Anti-viruses, as if this was a new and alarming chapter in the ongoing cyberwar. Truth is, bypassing AV isn't new or particularly difficult. PSC regularly makes use of the ability to bypass all modern AV engines in the course of our pen tests. Anti-virus and malware detection should be considered only one part of a multi-layered approach to system hardening and protection.
Ideally, Point of Sale (POS) systems should be dedicated, with no additional functionality. It's critical to reduce the attack surface and adding web browsing, email, and other software only increases the number of vectors and risk to customer data. If it's critical for the systems to have multiple uses, consider using the following controls to limit your exposure:
Application Whitelisting, such as with Bit9's Parity (http://www.bit9.com/products/index.php), will limit what software can execute on the POS systems. If web browsing is critical, the Browser Sandboxing/Virtualization from Vendors such as invincea (http://www.invincea.com/the-comprehensive-solution/) or Trusteer (http://www.trusteer.com/product/trusteer-rapport) can prevent malware from executing at the operating system level. Finally, Full Disk Encryption is a necessary to prevent local users from disabling the other controls put in place. McAfee Endpoint Protection (http://www.mcafee.com/us/products/data-protection/endpoint-encryption.aspx) for the Enterprise or TrueCrypt (http://www.truecrypt.org/docs/?s=system-encryption) for smaller environments are possible solutions.
The final, and perhaps the most critical security control, is User Education. The malware author makes a point to sell a tutorial on social engineering, because without it his software is useless. Malware takes advantage of a user's inattention and lack of education. Properly train your end-users to be suspicious and require verification from whom they're receiving emails and files.