Data collected from these servers suggests that the botnet is made up of 5,622 compromised computers from 119 countries. The researchers identified 60 RDP-enabled systems -- most likely POS terminals -- that have been compromised, 51 of which are based in the U.S.
"The most common username was 'administrator' (36) and the most common passwords were 'pos' (12) and 'Password1' (12)," the FireEye researchers said.
According to IntelCrawler's data, other remote access passwords frequently used on the compromised systems were aloha12345, micros, pos12345, posadmin and javapos.
"While there is insufficient information to determine attribution, there is some information which indicates that the attackers are in Eastern Europe, probably Russia or Ukraine," the FireEye researchers said.
In recent years POS systems have become a significant target for cybercriminals. Security firm Trustwave recently reported that over a third of data breaches the company investigated last year involved intrusions into POS terminals. Weak passwords, especially those for VPNs (virtual private networks), SSH (Secure Shell) and remote desktop connections remained a leading cause of breaches, the company said.
Brute-forced remote access connections and stolen credentials were the primary vectors for POS intrusions in 2013, Verizon said in its own data breach investigations report in April.