PoSeidon malware targets retailers and swipes customer credit card data
Mon 23 Mar 2015
Researchers at Cisco’s Talos Security Intelligence & Research Group have discovered a new sophisticated breed of Point-of-Sale (POS) malware dubbed ‘PoSeidon’.
The malware has been designed to incorporate the capabilities of other infamous bugs such as Zeus banking Trojan and BlackPOS malware, which were deployed in the cyberattacks on US retail giants Target and Home Depot.
The PoSeidon malware works by swiping the memory from Point of Sale terminals to search through card number sequences from card issuers such as Visa, MasterCard, AMEX and Discover. It then uses the Luhn algorithm to ensure that the credit and debit card numbers are valid.
According to the researchers, these credit card details are then placed across Russian (.ru) domains for harvesting and resale in underground black markets. A number of these domains have been listed as:
Cisco explained the following in a blog post on Friday: “PoSeidon is another in the growing number of malware targeting POS systems that demonstrate the sophisticated techniques and approaches of malware authors […] Attackers will continue to target POS systems and employ various obfuscation techniques in an attempt to avoid detection. As long as POS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families.”
PoSeidon uses a Loader binary technique that is able to maintain persistence on the targeted terminals and can therefore survive reboots and user logouts. A FindStr binary is then downloaded which installs the Keylogger component to scan the POS machine’s memory for credit card data.
The researchers warn that network administrators must stay alert and adhere to industry best practice to avoid putting themselves at risk from POS malware attacks.
“Given the dynamic threat landscape, we advocate [a] threat-centric and operationalised approach that implements protections across the extended network – and across the full attack continuum – before, during, and after an attack,” the researchers concluded.