Our intelligence center researchers recently uncovered a fraud “package” being sold in underground forums that uses a remote-access Trojan to steal credit card information from a hotel point-of-sale (PoS) application. This scheme, which is focused on the hospitality industry, illustrates how criminals are planting malware on enterprise machines to collect financial information instead of targeting end users’ devices.

In this particular scenario, a remote-access Trojan program is used to infect hotel front desk computers. The malware is able to steal credit card and other customer information by capturing screenshots from the PoS application. According to the seller, the Trojan is guaranteed to be undetectable by antivirus programs.

This fraud package is being offered for $280 and includes instructions on how to set up the Trojan. The sellers even offer advice on how to use telephone social engineering techniques via voice-over-IP (VoIP) software to trick front desk managers into installing the Trojan.

To prove the effectiveness of the fraud package, the seller uses a screenshot (above) taken by the remote-access Trojan from the PoS system at one of the world’s largest hotel chains. The screenshot shows the PoS application populated with customer information gathered at check-in.

As we have mentioned in recent posts, criminals are increasingly expanding the focus of their attacks from online banking targets to enterprises. One of the reasons for this shift is that enterprise devices can yield high-value digital assets when compromised.

2014 Ponemon Study: The Economic Impact of Advanced Persistent Threats (APTs)

more from Malware

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security…

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti…