BriansClub & PoS Malware Attacks: How Threat Intelligence Solutions Help Prevent Payment Card Theft

By Threat Intelligence Platform (TIP)
Threat Intelligence Platform (TIP)

BriansClub[.]at, an underground website that peddles stolen payment card data, was reportedly hacked. Here's what we know of the breach based on an initial report:

The most common method by which PoS malware infects hosts is through insider threats and phishing. A knowledgeable employee may install the malware on card-reading machines or retrieve higher-ups' access credentials by guessing username-and-password combinations.

Meanwhile, targeted attacks may employ the use of social engineering tactics to trick email recipients into downloading the PoS malware onto their computers. So say you (or someone you work with) receive an email with a suspicious attachment and you want to assess the sender's integrity. Let us show how you could go about it.

Our Investigative Tools: Threat Intelligence Platform and Others

A primary example of a PoS malware is NitlovePOS, which has been distributed via spoofed Yahoo! Mail accounts. Messages associated with this malware dupe users into opening a Microsoft Word attachment that downloads NitlovePOS onto devices.

Knowing that, it may be best for users to check if any of the email addresses attempting to interact with any of their employees is valid. They can use an email verification API for that.

Reminding users not to open documents attached to emails sent by unknown senders is also critical as the simple act of opening a malicious document can drop NitlovePOS on their computers. Outright blocking of attachments with macros can also be enforced throughout the network.

Looking at publicly available reports can also help establishments beef up their cybersecurity posture. Take a look at a sample step-by-step account of how we carried out a risk assessment given that we do not have information on the email addresses used in the attack:

  1. We learned from a report that the malware had three command-and-control (C&C;) servers —,, and From Virus Total, we found from a third party that all three seem to resolve to the same IP address — We ran a Threat Intelligence Platform (TIP) query on it and found that it was owned by G-Core Labs S.A.
  2. We ran a reverse WHOIS search on the organization and found 14 domains whose records contained it.
  3. Although the TIP checks on each of these domains did not reveal ties to malware, some of them had minor warnings such as open ports and missing SSL certificates. Exposed ports can be easily exploited by cyber attackers. It is also interesting to note that a lot of the domains seem to be related to a massive multiplayer online (MMO) game called "World of Tanks." Players should be wary as well, especially if they are using computers connected to the same network as PoS devices or systems.

The quick exercise above shows how crucial it is to uncover if the domains that are trying to interact with your network are secure or not. While not all investigations would instantly reveal ties to malicious activity, it doesn't hurt to exercise due diligence.

To further bolster security, companies must ensure that the customer data they keep is encrypted according to industry standards. Retail operations and banks should also enforce stricter access controls and code-signing certificates before processing card transactions. Lastly, IT teams should deploy patches to vulnerable PoS systems regularly to prevent exploitation.

* * *

Cyberthreats can come from all fronts. Often, parties who fall victim to attacks failed to secure their data operations despite having ample resources to do so. Still, the best way to avoid the repercussions of compromised card data is to prevent them in the first place. Security solutions such as Threat Intelligence Platform (TIP) and other domain research and monitoring tools empower organizations to stay ahead of cyber risks before these become a huge problem.

Related topics: Cyberattack, Cybercrime, Cybersecurity, Malware