Sophisticated new breed of Point-of-Sale malware discovered

PoSeidon is the Greek god of the sea, but it’s now also the name of a dangerous Point-of-Sale (PoS) malware. This troubling threat is armed with the tools of the famous Zeus banking Trojan and BlackPOS malware which wrecked havoc a few years ago when they were used to rob millions of dollars from mega firms and retailers in the US, including Home Depot. This fresh variant, discovered by researchers of Cisco’s Security Team, is reportedly more sophisticated than previously detected PoS malware.

Illusive malware steals customer’s credit card info, and more

4894706_sWhen consumers make purchases from a retailer and a credit or debit card is used, a PoS system is used to read the information stored on the magnetic stripe on the back of the credit card. PoSeidon seeks to extract credit card data and searches the computer memory for credit/debit card sequences. It then matches them with the known formats of Visa, Mastercard, AMEX and Discover. It uses the Luhn algorithm to check if the captured sequence is a valid card number. How PoSeidon works is illustrated in this diagram.

The program mainly consists of two parts: a loader and a keylogger. The loader begins the infection process by connecting to a remote server and downloading the keylogger. Once active, the keylogger scans the memory of the infected machine for possible credit card numbers. If any match is found, the data is retrieved from memory and sent back to a remote server so that cyber criminals can steal credit card numbers. The keylogger’s capability however, is not limited to grabbing this specific information. It could easily sniff pretty much anything in memory including passwords, login data and bank account details.

The domains to which PoSeidon transmits the stolen data include:

• quartlet.com

• horticartf.com

• kilaxuntf.ru

• dreplicag.ru

• fimzusoln.ru

• wetguqan.ru

PoSeidon can self-update and is hard to remove

As with most other forms of malware, PoSeidon does not want to leave any system easily. Thus, the loader program creates a service called “WinHost” to avoid easy termination. The service manages to stay alive even after the user has logged off, making it a persistent and pervasive threat.

According to the researchers at CISCO:

“PoSeidon was professionally written to be quick and evasive with new capabilities not seen in other PoS malware, PoSeidon can communicate directly with C&C servers, self-update to execute new code and has self-protection mechanisms guarding against reverse engineering.”

Point-of-Sale malware attacks have been increasing in frequency and volume ever since 2013. Turns out, stealing credit card information can be pretty rewarding for cyber criminals. Not only can they use the card to make purchases using the victim’s cash, credit card numbers can also be sold on the black market to for quick and easy money, which allows the malware writers to remain anonymous.

Cisco encourages retailers to consider security best practices, starting with a threat-centric approach, to protect their customer’s data.

Have a nice (malware-free) day!