We all know that after a brilliant exclusive and brief honeymoon period, most products and technologies very quickly filter down to us the masses in some commoditised, consumerised format, are subject to subsequent cloning, copying and mass production, then die a death eclipsed by the newest greatest thing.
This is true of Formula-1 technology that finds it into your rental car which decides to turn the engine off when you are in a busy foreign city, on the wrong side of the road, lost with three kids in the back. It is true of drugs to keep you up and keep you ‘up’. It is true of TV screen technology which has to be shipped in a post-tech curved format to make it more interesting than the previous flat screen format to encourage initial ‘I’ve got a new OLED screen’ buying.
Unfortunately it is also true of the malware that infects Point Of Sale (POS) equipment.
We have reported on the Target infiltration which reaped the credit card details of millions and millions of consumers and has resulted in C level decimation. We have faithfully reported the Sony breaches, the eBay thing. All of these were a small number of huge targets, the cream of the cream.
Well bad news, it looks like the bad guys are focussing on the small time consumer by crafting malware to infect small businesses and grocery stores like the one you buy your chewy sweets etc. from and use your credit card when you don’t have enough folding. Intercrawler, a bunch of good guys looking at cyber threat intelligence has reported that cybercriminals are targeting smaller outlets with an integration of malware including POS infection and key logging on an increasingly broad scale. Their report is here: http://intelcrawler.com/news-18.
Intercrawler has identified a large botnet of infected POS machines with the mysterious name of Nemanja which Intercrawler say looks like bad guys from Serbia. At the time the report was written nearly 1500 machines were infected a number that is bound to be on the rise. These machines are world wide including the UK. The lag of small businesses to implement patching will exacerbate this issue significantly.
There is no reason to believe that regulatory controls (like, err PCI) will make a difference to this in the short term, and while the powers that be try to work out what to do and how to do it we are worried enough to urge you to use cash for these small purchases and look at your statements.
ITC will be discussing this issue with our 2-sec PCI associates around what is being done in the consumer space to combat this threat but in the mean time, please be careful.
If you would like to discuss this or any other information security or networking issue with one of our enthusiastic and knowledgable staff, please contact us on: 020 7517 3900 or email [email protected]