Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/23/2015
05:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Will POSeidon Preempt BlackPOS?

Research from Cisco Talos uncovers newly evolved POS malware with more sophistication than BlackPOS and similarities to Zeus for camouflage.

Cybercriminals vying for the juicy details contained within global retail point-of-sale (POS) systems are upping their game with a new POS malware family that researchers say is more sophisticated than Black POS and is hoping to evade detection by making itself look very similar to Zeus malware.

Dubbed PoSeidon by the researchers at Cisco who have been tracking it, the new malware is similar to other highly successful POS malware families in that it focuses on infecting POS machines to scrape memory for credit card information and exfiltrate it to malicious servers. But it has improved on previous iterations.

"PoSeidon is interesting because it is self-updateable," says Craig Williams, Security Outreach Manager at Cisco Talos. "It has interesting evasions by using the combination of XOR, Base64, etc., and it has direct communication with the exfiltration servers, as opposed to common PoS malware, which logs and stores for future exfiltration from another system."

PoSeidon also differentiates itself in that it masks itself as Zeus malware to fly under security researchers' radars, Williams says, though Cisco isn't sharing technical details on how it is doing that while its researchers track PoSeidon's progress. According to BLANK, PoSeidon has advanced beyond the popular Black POS malware family in its methods of finding card data on POS systems and networks.

"PoSeidon looks for card data by looking for processes with a security token not associated with the 'NT AUTHORITY' domain name. It iterates through all read/write pages within those processes for credit card info," Williams says, explaining that it only looks for number sequences that start with 6,5 or 4 and of a length of 16 numbers to match Discover, Visa or Mastercard numbers, or sequences of a length of 15 digits that start with a 3 to seek American Express numbers.  It then uses the Luhn algorithm to verify that the numbers are actually credit or debit card numbers."

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

Even with relatively low levels of sophistication, POS malware like BlackPOS has helped cybercriminals clean up through breaches against big retailers like Target and Home Depot. It was estimated that from mid-2013 to mid-2014, Russian hackers made $2.5 billion through POS and ATM attacks. As the types of POS malware increase in sophistication, retailers should be on alert, says Andrew Avanessian, executive vice president of consultancy and technology services at security firm Avecto.

"Particularly as the frequency and relative ease with which POS system breaches are occurring is forcing them to take a closer look at their IT infrastructure and reassess how secure it actually is," he continues, explaining that the 'antiquated' nature of POS systems lend themselves to being vulnerable to these types of attacks. "One possibility may lie with the POS systems which, in some organizations, are relatively antiquated. These tend to be legacy systems run on Windows XP for example which don't get patched regularly. In many cases they are not connected to a domain under stringent controls and therefore they are relatively easy to penetrate."

As Avanessian explains, the gradual roll-out of chip-and-pin technology will help ameliorate the risk of POS attacks, but it is still incumbent upon retailers to get better at the blocking-and-tackling of the security staples: patching, privilege management and application control for POS systems and the network system they're connected to. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jlindema
50%
50%
jlindema,
User Rank: Apprentice
3/24/2015 | 5:00:32 PM
It will be nice when...
the information scraped from the POS terminals is either no longer valid, and/or can only be used by the first merchant to 'claim' the card number (and not be used over and over again).  Tokenization is the key.

Final -a startup located in Mtn. View, CA is working on this.  Check out: getfinal (dot) com.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11494
PUBLISHED: 2020-04-02
An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4.
CVE-2020-7619
PUBLISHED: 2020-04-02
get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data.
CVE-2020-7620
PUBLISHED: 2020-04-02
pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of 'pomelo-monitor' params.
CVE-2020-7621
PUBLISHED: 2020-04-02
strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. It allows execution of arbitrary command as part of the '_nginxCmd()' function.
CVE-2020-7623
PUBLISHED: 2020-04-02
jscover through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument.