Cisco Discovers “PoSeidon” POS Malware
Researchers at Cisco’s Talos Security Intelligence and Research Group have discovered a dangerous, new form of point-of-sale (POS) malware dubbed “PoSeidon”. The malware builds upon previous trojans like ZeuS and BlackPOS that affected retail stores like Target and Home Depot. Many credit card terminals run legacy versions of Windows, which leaves them vulnerable to all sorts of malware. And with new threats like PoSeidon, even newer terminals are at risk.
PoSeidon – A Nightmare for Both Customers and Merchants
PoSeidon is an alarmingly sophisticated piece of software that relies on outdated and insecure technologies like credit card magnetic stripes. Information stored on a magnetic stripe can easily be encoded onto a new magnetic stripe on a fake credit card. Underground stolen credit card markets thrive in the U.S. due to America’s reliance on magnetic stripe cards. Chip-based “EMV” cards are much harder to clone and are common in many countries outside North America.
The PoSeidon Malware starts by injecting a “Loader” that maintains persistence on the POS terminal. This allows PoSeidon to stay on the system even if the terminal is rebooted. Next, the malware contacts an external server to download a keylogger called “FindStr”. FindStr scrapes the terminal’s memory for number sequences that could be credit card numbers. The software then checks to see if the numbers are, in fact, credit card data by using the Luhn algorithm. Anything else is filtered out before the data is sent to external servers of Russian origin. From that point, stolen credit card data is likely sold in various black markets.
“PoSeidon is another in the growing number of Point-of-Sale malware targeting PoS systems that demonstrate the sophisticated techniques and approaches of malware authors,” says Cisco. The company encourages network administrators to consider best security practices to prevent large-scale infections due to malware like PoSeidon.
“As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families.”
Images from Shutterstock.