Security researchers at Cisco’s Talos Security & Intelligence Group have recently discovered a new breed of malware that targets Point-of-Sale (PoS) terminals. The malware, dubbed as “PoSeidon”, has been designed in such a way that it has the capabilities of the infamous Zeus banking Trojan, and BlackPOS malware.
It works by scraping memory from infected PoS terminals, scanning the RAM for card number sequences of principal card issuers. It then uses the Luhn algorithm to verify that the credit or debit card numbers are valid, uploading them to one of several command-and-control servers along with other captured data.
According to the CSS researchers, three malware components are likely associated with PoSeidon: a keylogger, a loader and a memory scraper that also has keylogging functionality.
The keylogger is used to steal all credentials for the LogMeIn remote access application. It deletes encrypted LogMeIn passwords and profiles that are stored in the system registry and forces users to type it again. This severely compromises PoS systems and allows the installation of PoSeidon.
Upon installation, it can then use a Loader binary that allows the malware to survive a possible system reboot.
Unlike other PoS memory scrapers that store captured payment card data locally until attackers log in to download it, PoSeidon communicates directly with external servers and can update itself automatically.
The best thing for network administrators is to remain vigilant and adhere to best industry practices. Wall-to-wall encryption is ideal but not available to many servers. If you seek some advice get in contact: 020 7517 3900 or email [email protected]
