ScanPOS

By GoldSparrow in Trojans

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 54
First Seen: November 17, 2016
Last Seen: August 1, 2021
OS(es) Affected: Windows

As the biggest shopping season of 2016 approaches, Black Friday and the weeks leading up to Christmas, PC security analysts have observed the appearance of a new POS (Point of Sale) threat that has been dubbed ScanPOS. ScanPOS has been associated with the Kronos banking Trojan. It seems that these campaigns appear every year right around the same time. Kronos is being distributed using spam email campaigns and compromised email attachments. Through these email campaigns, ScanPOS is being delivered as a secondary payload during the attack.

How the ScanPOS may be Distributed to Carry out Its Attack

The email campaigns being used to distribute ScanPOS were first observed on November 10 and November 14 of 2016, with tens of thousands of corrupted email messages targeting different economic sectors. These email campaigns did have effects around the world but were mostly targeted towards computer users in Canada, the United States and the United Kingdom. These emails would contain either a corrupted email attachment or an embedded link that supposedly leads to a Microsoft website but is used to deliver threats to the victim's computer. The corrupted files associated with this threat attack abuse the macro functionality on the targeted computers to install Kronos, which in turn may result in the installation of ScanPOS and other payloads on the victim's computer. Apart from ScanPOS, PC security analysts also observed a variant of theZeuS banking Trojan being delivered to the victims' computers by some variants in a similar attack.

The ScanPOS can Cause a Great Deal of Damage

ScanPOS is capable of collecting credit card numbers and sending them to its Command and Control server using HTTP. ScanPOS searches the infected computer's memory of running processes for the credit card numbers. ScanPOS has a single Command and Control server that is hard coded into the threat, meaning that updating security software to include a blacklist of the ScanPOS's domain can help stop these attacks. Malware analysts have analyzed the information that ScanPOS relays to its Command and Control server, and it will include the collected credit card number, the memory process from where it was taken and the user name. Preceding the ScanPOS attacks, malware analysts observed similar activity in association with email spam campaigns used to deliver threats, which were being used to disseminate ZeuS Trojan variants. PC security analysts suspect that these are all works of a single threat actor attempting to take advantage of the increase in retail activity in the weeks leading up to Christmas.

Protecting Computer Users and Companies from the ScanPOS Campaigns

ScanPOS and its associated threat campaign tend to target service and hospitality providers in countries where the Christmas holidays are observed. Apart from retail, hotel and travel industries also should be on the lookout for infections with ScanPOS and banking Trojans. These threats tend to exploit seasonal changes. PC security analysts recommend that companies increase the vigilance of their POS services to ensure that their computers have not been compromised with threats like ScanPOS. Computer users also should take steps to safeguard their information when shopping online and all appropriate cautions when browsing the Web, using online banking or shopping online.

To protect yourself from banking Trojans or attacks like ScanPOS, it is essential to use a reliable security program that is fully updated regularly. It is also important to take appropriate precautions when browsing the Web. Since ScanPOS is being delivered in spam email campaigns (as are most threats), computer users must learn to recognize spam emails and corrupted attachments.

Trending

Most Viewed