A family of improved malware is targeting retailers’ point of sale (PoS) systems, taking up where Zeus and BlackPoS left off, say Cisco researchers.

Dubbed PoSeidon, the malware is designed to scrape PoS devices’ memory for credit card information and exfiltrate that data to servers.

According to researchers, most of the exfiltration and command and control (C&C) servers linked to the PoS malware have Russian domain names

The researchers found malware starts with a loader binary which, when executed, will first try to maintain persistence on the target machine to survive a possible system reboot.

The loader then contacts a C&C to retrieve a URL which contains another binary to download and execute.

The downloaded binary, FindStr, installs a keylogger and scans the memory of the PoS device for number sequences that could be credit card numbers.

The keylogger component can be used to steal passwords and could also be responsible for spreading infections, the researchers said.

Once the data is verified using the Luhn algorithm, keystrokes and credit card numbers are encoded and sent to an exfiltration server.

Demand for point of sale system data

The data can be used to create cloned credit cards, and is typically sold on criminal markets. The demand for such data has driven the growth in the number of data breaches involving PoS malware.

These data breaches affect large organisations such as US retailer Target as well as small, family-run retail businesses.

The presence of large amounts of financial and personal information means these businesses and their retail PoS systems are attractive targets for cyber criminals.

“PoSeidon is another in the growing number of point-of-sale malware targeting PoS systems that demonstrate the sophisticated techniques and approaches of malware authors,” said the researchers.

“Attackers will continue to target PoS systems and employ various obfuscation techniques in an attempt to avoid detection,” they said in a blog post.

Magnetic stripe vulnerability

The researchers warn that, as long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and the development of new malware families.

“Network administrators will need to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats,” they said.

Card cloning is particularly rife in countries such as the US that have not yet implementedchip and pin technology in line with the Europay, MasterCard and Visa (EMV) standard.

In October 2014, US president Barack Obama issued an executive order aimed at accelerating the adoption of cards that reach the EMV standard.

While EMV is not hack-proof, it provides more security than the magnetic stripe-based system, with a unique identifier for each transaction and user verification through a PIN code.

Although widely adopted in Europe, where it has been credited with significantly reducing card-present fraud, EMV adoption in the US has been relatively slow.

In an effort to speed up adoption of the EMV standard, Obama’s executive order directs the federal government to lead by example in securing transactions and sensitive data.

The White House said the new BuySecure initiative will provide consumers with more tools to secure their financial future by assisting victims of identity theft and improving the government’s payment security.

This is in addition to accelerating the transition to stronger security technologies and the development of next-generation payment security tools.

Via: computerweekly