Malware disguises as LogMein DNS traffic to target point of sale systems

A new strain of point-of-sale (PoS) malware is disguising itself as a LogMeIn service pack to hide the theft of customer data.

On Thursday, Forcepoint researchers Robert Neumann and Luke Somerville said in a blog post that a new malware family, dubbed UDPoS, attempts to disguise itself as legitimate services to avoid detection while transferring stolen data.

A sample of the malware recently uncovered by the cybersecurity firm masquerades as a LogMeIn function. LogMeIn is a legitimate remote access system used to manage PCs and other systems remotely.

This fake ‘service pack’ generated “notable amounts of ‘unusual’ DNS requests,” according to the team and upon further investigation, it was found that the fake LogMein system was actually PoS malware.

Forcepoint emphasizes that the use of LogMein themes is simply a way to camouflage the malware’s activities, and after disclosing the findings to the remote software firm, no evidence has been found of product or service abuse.

PoS malware lurks in systems where credit card information is processed and potentially stored, such as in shops and restaurants. If a point-of-sale system is infected, malware such as DEXTER or BlackPOS will steal the payment card data contained on credit card magnetic strips, before sending this information to its operator through a command and control (C&C) server.

This information can then be used to create dupe cards from banks, wipe bank accounts, and potentially may also be used in identity theft.

In 2013, US retailer Target was the victim of PoS malware and the credit card information of roughly 110 million customers was stolen.