Our top privacy and security VPN ExpressVPN is always on the lookout for dangers that we may face on the Internet. Recently, they reported on two malware threats that attack privacy and security. The first is an incidence of spy malware being deliberately loaded onto a hard drive by law enforcement. The second is a nasty variety of point-of-sale malware that is infecting cash registers across the United States.

Law Enforcement Planting Spy Malware

Three police officers approached a North Little Rock, Arkansas, attorney regarding a case of abuse by their superior officers. Attorney Matthew Campbell from Pinnacle Law Firm took the case and began correspondence with a law enforcement attorney. In early April, he got a FedEx package from this attorney which contained a hard drive. This hard drive was supposed to contain information about the lawsuit, but it was a case of plus and minus.

On the plus side, Campbell got four extra bits that he was not counting on. But extras are not always good, as he soon learned. It is a good thing that he had a hunch, and followed it, leading him to surrender the hard drive to a security expert before connecting it to his computer. He was suspicious of the information sharing procedure, and information security manager Geoff Mueller proved that Campbell had every right to be. Mueller uncovered three different Trojans on the hard drive. The first was on the drive twice, a backdoor Trojan called Win32Cycbot-NF. This was meant to allow access to Campbell’s computer. The second was Win32:Zbot-AVH[Trj], also meant to create a backdoor and to take Campbell’s passwords as well. The third was the NSIS:Downloader-CC[Trj], which allows the installation of additional malware as needed. The law enforcement agency that tried to infect Campbell’s system with these Trojans, the Fort Smith police force, meant serious business.

Campbell filed an affidavit on behalf of his clients, the three police officers, claiming that the malware did not end up on the hard drive by accident. The investigation performed after the malware was discovered showed that the Fort Smith office uses an antivirus system that would have detected the Trojans. Furthermore, the location of the malware in the sub-folder where the other information was saved rather than in the root directory proves that they were added to the hard drive and not present before the information being sent to Campbell was saved.

What would have happened if Campbell was not cautious when it came to computer security? He would have been infected by insidious Trojans, causing a break in the bonds of attorney-client privilege. This would have severely damaged his case and his clients’ rightful claim to justice. His reputation would also be on the line, despite the fact that he was deceived by a fellow attorney, and one working for a law enforcement agency no less. It would have been devastating, and this clear example of how far and low some are willing to go to protect their selfish interests should teach us all a valuable lesson about security. We cannot leave the fate of our sensitive information up to chance, especially when we are responsible for the prospects of other people. That information can lead to very rough consequences for everyone involved.

On the minus side, Campbell was given incomplete documentation on the case. The investigation into the intentionally infected hard drive led to the further discovery that some very important files were missing. Again, this was found to be intentional because the emails were available, just deleted before the drive was mailed out. Campbell told the court that more than a few incriminating emails had been excluded from the collection of information crucial to the lawsuit. This information is supposed to be released, by law, to the prosecuting attorney. This is clearly an example of deliberate deception aimed at destroying the prosecution’s case, but Campbell was smart enough to put security first. Now the defending law enforcement agency faces additional felony charges.

Punkey POS Malware

A new type of insidious malware called Punkey malware has been attacking POS terminals in retail stores in the United States. It was exposed by Trustwave, a computer security company, under a US Secret Service initiative. Trustwave has already detected a bundle of payment card information that has been stolen from over 75 cash registers that they have pinpointed by their IP addresses as being infected with the POS malware. They are just getting started, though, and Punkey could very well turn out to have punked a lot more people.

Trustwave was also able to get into the attackers’ command and control servers to learn about Punkey. The malware affects Windows POS systems, placed in its explorer.exe file to remain hidden and dormant until the attackers are ready to use it to scrape cash registers for payment card information. Punkey also uses the DLLx64.dll keylogger to give the attackers access to other systems on the network that the infected registers have codes for.

Punkey malware exhibits some of the same characteristics as the previously discovered POS malware NewPosThings. But it has some improvements, like three distinct versions that show how it has either been used by more than one cybercriminal group, or has been modified to execute specific attacks which therefore make them more difficult to stop. It also allows attackers to install other malware that gives them permissions to access higher level functions, which is uncommon to POS malware.

Punkey could have been easily prevented, however, by the same means – better network and remote access security, beginning with strong passwords. Most retailers really don’t act like they care about the security of their customers’ data, and this should serve as another warning of how important it is to take responsibility for our own security. These stores are not going to help us when we get robbed. They got paid for the purchase made, and they couldn’t care less if your card got hacked. The best they would do is to tell you to use cash next time because they are not responsible for stolen card data due to an unfortunate error. Trustwave is more concerned, and has provided retailers with a decryption tool that shows them if Punkey is running on their systems. These infected stores then of course have to do something about it, which is an effort that is not to be taken for granted. Chain stores like Target that have more resources ignored the threat until it had caused more than a few headaches for customers and the company.