Will POSeidon Preempt BlackPOS?

Cybercriminals vying for the juicy details contained within global retail point-of-sale (POS) systems are upping their game with a new POS malware family that researchers say is more sophisticated than Black POS and is hoping to evade detection by making itself look very similar to Zeus malware.

Dubbed PoSeidon by the researchers at Cisco who have been tracking it, the new malware is similar to other highly successful POS malware families in that it focuses on infecting POS machines to scrape memory for credit card information and exfiltrate it to malicious servers. But it has improved on previous iterations.

"PoSeidon is interesting because it is self-updateable," says Craig Williams, Security Outreach Manager at Cisco Talos. "It has interesting evasions by using the combination of XOR, Base64, etc., and it has direct communication with the exfiltration servers, as opposed to common PoS malware, which logs and stores for future exfiltration from another system."

PoSeidon also differentiates itself in that it masks itself as Zeus malware to fly under security researchers' radars, Williams says, though Cisco isn't sharing technical details on how it is doing that while its researchers track PoSeidon's progress. According to BLANK, PoSeidon has advanced beyond the popular Black POS malware family in its methods of finding card data on POS systems and networks.

"PoSeidon looks for card data by looking for processes with a security token not associated with the 'NT AUTHORITY' domain name. It iterates through all read/write pages within those processes for credit card info," Williams says, explaining that it only looks for number sequences that start with 6,5 or 4 and of a length of 16 numbers to match Discover, Visa or Mastercard numbers, or sequences of a length of 15 digits that start with a 3 to seek American Express numbers.  It then uses the Luhn algorithm to verify that the numbers are actually credit or debit card numbers."

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

Even with relatively low levels of sophistication, POS malware like BlackPOS has helped cybercriminals clean up through breaches against big retailers like Target and Home Depot. It was estimated that from mid-2013 to mid-2014, Russian hackers made $2.5 billion through POS and ATM attacks. As the types of POS malware increase in sophistication, retailers should be on alert, says Andrew Avanessian, executive vice president of consultancy and technology services at security firm Avecto.

"Particularly as the frequency and relative ease with which POS system breaches are occurring is forcing them to take a closer look at their IT infrastructure and reassess how secure it actually is," he continues, explaining that the 'antiquated' nature of POS systems lend themselves to being vulnerable to these types of attacks. "One possibility may lie with the POS systems which, in some organizations, are relatively antiquated. These tend to be legacy systems run on Windows XP for example which don't get patched regularly. In many cases they are not connected to a domain under stringent controls and therefore they are relatively easy to penetrate."

As Avanessian explains, the gradual roll-out of chip-and-pin technology will help ameliorate the risk of POS attacks, but it is still incumbent upon retailers to get better at the blocking-and-tackling of the security staples: patching, privilege management and application control for POS systems and the network system they're connected to.