Carders operating the BackOff point of sales malware are hacking IP cameras to make sure their targets are worth attacking, says researcher Rotem Kerner says.
The research plugs a "critical" gap in a July disclosure by the US CERT, which warned the popular carder malware was being flung at businesses using remote desktop protocols.
Criminals are hacking poorly-protected security cameras to validate the identity of victim businesses, Kerner and contributors Lior Ben Porat, Uri Fleyder and Elic Marcus wrote in the RSA report.
The researchers reckon that "... in order to validate whether a targeted IP actually belongs to a business and not just an RDP service opened on a personal computer, the fraudsters had to devise a technique to validate their target before they took aggressive action."
"This technique should also be designed to allow them to operate on a large scale.
"Our assumption is that the fraudsters figured out that the combination of RDP service and cam surveillance service both exposed to the internet provides a fairly logical indication of a possible business, and therefore a proper target."
The carders used a combination of brute force login attacks against remote desktop protocols, and password guessing and vulnerability exploitation of routers and camera surveillance control panels, the team said.
Attackers appeared to be located in India according to analysis of requests made to command and control servers which revealed a web browser clock set to GMT+0530, and a new unpacked BackOff malware sample confirmed to have been developed in the country. ®