Members of Cisco’s Talos Security Intelligence & Research Group recently uncovered new malware, nicknamed PoSeidon, which specifically targets point-of-sale (PoS) systems.
“Incidents involving PoS malware have been on the rise, affecting many large organizations as well as small mom-and-pop establishments and garnering a lot of media attention,” the researchers noted in a report.
Infection by the PoSeidon malware starts with a loader binary, which contacts a command and control server to download another binary that installs a keylogger and scans the PoS device’s memory. Is searches for number sequences that match credit card data, such as 16-digit numbers beginning with 6, 5, or 4 (Discover, Visa and MasterCard), or 15-digit numbers beginning with 3 (American Express).
“The Keylogger component was potentially used to steal passwords and could have been the initial infection vector,” the researchers noted.
The stolen data is then uploaded to an exfiltration server — most of the command and control servers and exfiltration servers, according to the researchers, use .ru domains.
In a comment, researcher JJ Cummings noted that the Talos team had seen the PoSeidon malware establish persistence on both Windows XP and Window 7 systems.
“PoSeidon is another in the growing number of point-of-sale malware targeting PoS systems that demonstrate the sophisticated techniques and approaches of malware authors,” the researchers stated.
“As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families,” they added. “Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats.”
Researcher Craig Williams told SC Magazine that PoSeidon is particularly notable because it’s self-updateable. “It has interesting evasions by using the combination of XOR, Base64, etc., and it has direct communication with the exfiltration servers, as opposed to common PoS malware, which logs and stores for future exfiltration from another system,” he said.
Caspida CEO and co-founder Muddu Sudhakar told eSecurity Planet by email that cybercriminals will inevitably continue to target PoS systems and leverage increasingly sophisticated obfuscation techniques in order to maintain access. “Enterprises must stop granting unfettered access to employees and third parties that are allowing cybercriminals to take advantage by installing malware like PoSeidon,” he said.
“Organizations need to be more proactive and take preventative measures by looking at threats based on behavior and strengthen its encryption,” Sudhakar added. “Cybercriminals are oftentimes taking advantage of enterprises that have not rolled out basic security hygiene and security best practices that have been discussed since the Target breach was first reported in December 2013.”
A recent eSecurity Planet article examined the challenges inherent in ensuring point-of-sale security, and offered advice on securing PoS systems from attack.