ScanPOS
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 100 % (High) |
Infected Computers: | 54 |
First Seen: | November 17, 2016 |
Last Seen: | August 1, 2021 |
OS(es) Affected: | Windows |
As the biggest shopping season of 2016 approaches, Black Friday and the weeks leading up to Christmas, PC security analysts have observed the appearance of a new POS (Point of Sale) threat that has been dubbed ScanPOS. ScanPOS has been associated with the Kronos banking Trojan. It seems that these campaigns appear every year right around the same time. Kronos is being distributed using spam email campaigns and compromised email attachments. Through these email campaigns, ScanPOS is being delivered as a secondary payload during the attack.
Table of Contents
How the ScanPOS may be Distributed to Carry out Its Attack
The email campaigns being used to distribute ScanPOS were first observed on November 10 and November 14 of 2016, with tens of thousands of corrupted email messages targeting different economic sectors. These email campaigns did have effects around the world but were mostly targeted towards computer users in Canada, the United States and the United Kingdom. These emails would contain either a corrupted email attachment or an embedded link that supposedly leads to a Microsoft website but is used to deliver threats to the victim's computer. The corrupted files associated with this threat attack abuse the macro functionality on the targeted computers to install Kronos, which in turn may result in the installation of ScanPOS and other payloads on the victim's computer. Apart from ScanPOS, PC security analysts also observed a variant of theZeuS banking Trojan being delivered to the victims' computers by some variants in a similar attack.
The ScanPOS can Cause a Great Deal of Damage
ScanPOS is capable of collecting credit card numbers and sending them to its Command and Control server using HTTP. ScanPOS searches the infected computer's memory of running processes for the credit card numbers. ScanPOS has a single Command and Control server that is hard coded into the threat, meaning that updating security software to include a blacklist of the ScanPOS's domain can help stop these attacks. Malware analysts have analyzed the information that ScanPOS relays to its Command and Control server, and it will include the collected credit card number, the memory process from where it was taken and the user name. Preceding the ScanPOS attacks, malware analysts observed similar activity in association with email spam campaigns used to deliver threats, which were being used to disseminate ZeuS Trojan variants. PC security analysts suspect that these are all works of a single threat actor attempting to take advantage of the increase in retail activity in the weeks leading up to Christmas.
Protecting Computer Users and Companies from the ScanPOS Campaigns
ScanPOS and its associated threat campaign tend to target service and hospitality providers in countries where the Christmas holidays are observed. Apart from retail, hotel and travel industries also should be on the lookout for infections with ScanPOS and banking Trojans. These threats tend to exploit seasonal changes. PC security analysts recommend that companies increase the vigilance of their POS services to ensure that their computers have not been compromised with threats like ScanPOS. Computer users also should take steps to safeguard their information when shopping online and all appropriate cautions when browsing the Web, using online banking or shopping online.
To protect yourself from banking Trojans or attacks like ScanPOS, it is essential to use a reliable security program that is fully updated regularly. It is also important to take appropriate precautions when browsing the Web. Since ScanPOS is being delivered in spam email campaigns (as are most threats), computer users must learn to recognize spam emails and corrupted attachments.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.