Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
thnSwati KhandelwalTHN:92AB21C1A155175A42E8CA6990167657
HistoryMar 22, 2015 - 9:25 p.m.

New "PoSeidon" Point of Sale Malware Spotted in the Wild

2015-03-2221:25:00
Swati Khandelwal
thehackernews.com
12
JSON

PoSeidon-point-of-sale-malware

A new and terribly awful breed of**_ Point-of-Sale (POS) malware _**has been spotted in the wild by the security researchers at Cisco’s Talos Security Intelligence & Research Group that the team says is more sophisticated and nasty than previously seen Point of Sale malware.

The Point-of-Sale malware, dubbed “PoSeidon”, is designed in a way that it has the capabilities of both the infamous**Zeus banking TrojanandBlackPOS malware** which robbed Millions from US giant retailers, Target in 2013 and Home Depot in 2014.

PoSeidon malware scrapes memory from Point of Sale terminals to search for card number sequences of principal card issuers like Visa, MasterCard, AMEX and Discover, and goes on using the**Luhn algorithm **to verify that credit or debit card numbers are valid.

The malware then siphon the captured credit card data off to **_Russian (.ru) domains _**for harvesting and likely resale, the researchers say.

> _“PoSeidon is another in the growing number of malware targeting POS systems that demonstrate the sophisticated techniques and approaches of malware authors,” _researchers of Cisco’s Security Solutions team wrote in a blog post.
“Attackers will continue to target POS systems and employ various obfuscation techniques in an attempt to avoid detection. As long as POS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families.”

The components of PoSeidon are illustrated in the diagram above.

Poseidon Point of Sale malware comprises of a Loader binary that maintains persistence on the target machine in an attempt to survive reboots and user logouts. The Loader then receives other components from the command and control servers.

A subsequently downloaded binary FindStrinstalls a Keyloggercomponent which scans the memory of the PoS device for credit card number sequences.

The identified numbers are verified using the Luhn algorithm and then encrypted and sent to one of the given exfiltration servers, majority of which belongs to Russian domains:

In past few years, a number of Point of Sale malware has been spotted in the United States, collecting users’ credit card magnetic stripe data, and selling them in underground black markets.

Network administrators should remain vigilant and must adhere to industry best practices so that they can protect themselves against advancing Point of Sale malware threats, the researchers say.

JSON