Beware all you retailers, a new Trojan program dubbed as PoSeidon targets point-of-sale or PoS terminals and can potentially steal payment card data for abusing it later.
According to Cisco Security Solutions research team, this new malware can perform memory scraping, which means it can scan RAM of all the compromised terminals to locate encrypted strings and matches credit card info with it.
In the memory of every PoS system this confidential information is stored in plain text format when specialized merchant software is busy processing it on the terminal.
Security experts have been insisting on extending the use of end-to-end encryption mechanism for protecting payment card information from the card reader to the payment service provider but not many have paid attention to their advices as of now.
According to CSS researchers, three malware components have been identified by them. These are most likely connected with PoSeidon, which serves as a memory scraper and a keylogger at the same time.
Keylogger is equipped with the capability of stealing credentials by deleting encrypted LogMeIn passwords and profiles that usually are stored in the computer system’s registry. This forces users to type the information again and when they do that, it captures the data instantaneously.
Researchers at CSS believe that the potential use of keyloggers is for stealing remote access credentials that hackers need for infecting and compromising PoS systems and installing PoSeidon.
Precious studies showed that point-of-sale terminals can easily be exploited via brute-forced remote access credentials since a majority of these terminals are configured for supporting remote technology.
When PoSeidon provides attackers access to any PoS terminal, they install a loader, which is a component that create the necessary registry keys for maintaining the infection’s perseverance on all system reboots and it downloads a new file called FindStr. This file is downloaded from a hard-coded command-and-control list.
Evidently, the purpose of FindStr s to locate strings that match the available payment card credentials in the running processes memory.
According to CSS team of researchers:
“The malware only looks for number sequences that start with: 6, 5, 4 with a length of 16 digits (Discover, Visa, Mastercard) and 3 with a length of 15 digits (AMEX).”
The captured strings are then verified by the Trojan. These Strings actually are the credit card numbers that are located via an algorithm called the Luhn formula. It uploads them one any of the command-and-control servers as well as other captured data captured via its key logging attribute.
Unlike other PoS memory scrapers that store captured payment card data locally until attackers log in to download it, PoSeidon communicates directly with external servers and can update itself automatically. It also has defenses against reverse engineering.
“PoSeidon is another in the growing number of Point-of-Sale malware targeting PoS systems that demonstrate the sophisticated techniques and approaches of malware authors,” the CSS researchers said. “As long as PoS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families.”