Dubbed PoSeidon, the malware is designed to scrape PoS devices’ memory for credit card information and exfiltrate that data to servers.
According to researchers, most of the exfiltration and command and control (C&C) servers linked to the PoS malware have Russian domain names
The researchers found malware starts with a loader binary which, when executed, will first try to maintain persistence on the target machine to survive a possible system reboot.
The loader then contacts a C&C to retrieve a URL which contains another binary to download and execute.
The downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers.
The keylogger component can be used to steal passwords and could also be responsible for spreading infections, the researchers said.
Once the data is verified using the Luhn algorithm, keystrokes and credit card numbers are encoded and sent to an exfiltration server.
Read more about PoS malware
- Cyber criminals will ramp up attacks on point of sale (POS) systems, according to the 2015 cyber trends and threat analysis by Verisign.
- The compromise of point-of-sale (POS) system supplier Nextep highlights the need to update legacy systems.
- The theft of credit card data from the Mandarin Oriental hotel group highlights the security risk of legacy point of sale (POS) systems.
Demand for point of sale system data
The data can be used to create cloned credit cards, and is typically sold on criminal markets. The demand for such data has driven the growth in the number of data breaches involving PoS malware.
These data breaches affect large organisations such as US retailer Target as well as small, family-run retail businesses.
The presence of large amounts of financial and personal information means these businesses and their retail PoS systems are attractive targets for cyber criminals.
“PoSeidon is another in the growing number of point-of-sale malware targeting PoS systems that demonstrate the sophisticated techniques and approaches of malware authors,” said the researchers.
“Attackers will continue to target PoS systems and employ various obfuscation techniques in an attempt to avoid detection,” they said in a blog post.
Magnetic stripe vulnerability
The researchers warn that, as long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and the development of new malware families.
“Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats,” they said.
In October 2014, US president Barack Obama issued an executive order aimed at accelerating the adoption of cards that reach the EMV standard.
While EMV is not hack-proof, it provides more security than the magnetic stripe-based system, with a unique identifier for each transaction and user verification through a PIN code.
Although widely adopted in Europe, where it has been credited with significantly reducing card-present fraud, EMV adoption in the US has been relatively slow.
In an effort to speed up adoption of the EMV standard, Obama’s executive order directs the federal government to lead by example in securing transactions and sensitive data.
The White House said the new BuySecure initiative will provide consumers with more tools to secure their financial future by assisting victims of identity theft and improving the government’s payment security.
This is in addition to accelerating the transition to stronger security technologies and the development of next-generation payment security tools.