Three of the defendants are currently under arrest, while one remains at large. They are charged, according to the announcement, that they “conspired to remotely hack into more than 200 US-based merchants’ point-of-sale (POS) or ‘checkout’ computer systems in order to steal customers’ credit, debit and gift card numbers and associated data (collectively referred to as credit card data).”
It was an effective conspiracy, apparently compromising the credit card details of more than 80,000 customers and leading to millions of dollars of unauthorized purchases.
Although not confirmed, the Romanians could have used the Morto worm exploiting the Remote Desktop Protocol (RDP). F-Secure’s Mikko Hypponen warned about this back in August (Windows Remote Desktop Worm "Morto" Spreading).
“Computers infected with the worm scan the local area network for any other computer that is using RDP and can therefore be controlled remotely,” explains Andrew Mason, the founder of vulnerability scanning RandomStorm. “Once a server is detected, the worm automatically tries common and default passwords to gain administrator access to the server.”
Mason believes that this should be a wake-up call to all retail organizations. “This should encourage all POS server administrators to change passwords and make their systems more secure by adding lock out policies that will block the administrator after three failed password attempts.”
He stresses that organizations should never reuse default or commonly used passwords on servers and remote access applications. “We see this as a massive issue on the vulnerability scans that we carry out for merchants. We enumerate weak passwords that are then reused for domain access logins or enterprise application access, enabling access to confidential information. We have used this method time and time again to demonstrate security vulnerabilities to our clients”, warns Mason.