Behind Point of Sale (PoS) attacks

In this previous article we showed how cybercriminals were trying to infect PoS devices with Dexter malware through pcAnywhere service, port 5631.

Now, what we want is to analyze the geolocation of more than a million IPs affected by this attack that appear in the following picture.

If we focus on USA, we can see with greater detail the affected zones that include California, New York, Massachusetts and Toronto (Canada).

In Europe the most affected countries are France, Switzerland, UK, Belgium and Croatia. In this map we can also observe that Kuwait has been targeted too.

Finally, if we take a deeper look into Asia we will see that the main targets were Shanghai, Hong Kong, Beijing, Tokyo and the country of Malaysia.


Attacks to Point of Sale devices have become very common and widely extended worldwide. As you may notice from the above pictures, most of the targeted victims are cities and states with big malls, hotels, restaurants and gas stations. This makes sense since they are more suitable for this kind of malware which has as a main goal to steal the tracks – information of the magnetic stripe – of the credit cards.

This post wants to show how easy it is to infect a lot of different victims from different countries using just a single computer.

In this case the infection does not come from a typical malware infection (email, drive-by-download, USB,…) but it is due to a misconfiguration of a security service, pcAnywhere in this case.

Xavier Galian.

Ecrime analyst at Blueliv

Dark Commerce

Exploring the cybercrime industry and its business models: part 1

Read free report
Demo Free Trial MSSP