Users of the Backoff POS malware are said to have been upping their game over the past year, hacking into the IP-based cameras of potential targets to determine whether or not the cashier in question was worth a second look.
They executed these orders in an attempt to weed out the honeypots from the jackpots, cracking through security cameras to see if what they were shooting for was really installed at a real store, or just set up by an investigative agency in an attempt to track their movements and collect data on their illegal organization.
According to a report released from the threat trend research team at the RSA, the groups would utilize surveillance networks to tap into any stores they were targeting to be sure that any businesses they were going after were actually worth it in the long run.
They would spend hours poring over live and recorded footage, manually counting the amount of money that traded hands in a given 24-hour period, and keeping detailed logs on who would operate the register between employees and managers throughout the day.
“Almost every business or store has security camera surveillance since many business owners/managers wish to monitor their business and their workers, and of course, they want to be able to do so remotely.
Evidently and certainly not accidentally, a fairly large number of the infected IP addresses had cam surveillance services exposed. Our assumption is that the fraudsters figured out that the combination of RDP service and cam surveillance service both exposed to the internet a fairly logical indication of a possible business, and therefore a proper target.”
Realistically, the move makes sense. As more criminal organizations find themselves running away from researches like the one and very same at the RSA in order to stay one step ahead of the authorities, they must be more selective with their attacks on smaller businesses that may either not realize they’re being hacked, or not have the resources to make a report after the money has already been stolen.
Both the Target and Home Depot breaches of the past year have put an intense amount of focus and resources from the whitehat community on scrubbing out POS scams, and while they’re still plentiful in number and providing a steady stream of income to hacking rings, the very same underground operatives behind them have had to be more careful than ever to be sure that their networks stay up and running on the best targets as long as possible before getting caught.
From the US-CERT alert that started the investigation, it appears that the hackers get into the surveillance camera networks using rudimentary RDP overload attack vectors, a problem that has been around since before the internet in its current state was even born.
While the threat is very real, unfortunately the means to prevent it are nill to none. Until we can come up with more inventive, blanket-style methods of guarding against these issues, hackers will continue to utilize them on their quest to pull down profits from every POS machine available.