Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 PM
Connect Directly

Will POSeidon Preempt BlackPOS?

Research from Cisco Talos uncovers newly evolved POS malware with more sophistication than BlackPOS and similarities to Zeus for camouflage.

Cybercriminals vying for the juicy details contained within global retail point-of-sale (POS) systems are upping their game with a new POS malware family that researchers say is more sophisticated than Black POS and is hoping to evade detection by making itself look very similar to Zeus malware.

Dubbed PoSeidon by the researchers at Cisco who have been tracking it, the new malware is similar to other highly successful POS malware families in that it focuses on infecting POS machines to scrape memory for credit card information and exfiltrate it to malicious servers. But it has improved on previous iterations.

"PoSeidon is interesting because it is self-updateable," says Craig Williams, Security Outreach Manager at Cisco Talos. "It has interesting evasions by using the combination of XOR, Base64, etc., and it has direct communication with the exfiltration servers, as opposed to common PoS malware, which logs and stores for future exfiltration from another system."

PoSeidon also differentiates itself in that it masks itself as Zeus malware to fly under security researchers' radars, Williams says, though Cisco isn't sharing technical details on how it is doing that while its researchers track PoSeidon's progress. According to BLANK, PoSeidon has advanced beyond the popular Black POS malware family in its methods of finding card data on POS systems and networks.

"PoSeidon looks for card data by looking for processes with a security token not associated with the 'NT AUTHORITY' domain name. It iterates through all read/write pages within those processes for credit card info," Williams says, explaining that it only looks for number sequences that start with 6,5 or 4 and of a length of 16 numbers to match Discover, Visa or Mastercard numbers, or sequences of a length of 15 digits that start with a 3 to seek American Express numbers.  It then uses the Luhn algorithm to verify that the numbers are actually credit or debit card numbers."

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

Even with relatively low levels of sophistication, POS malware like BlackPOS has helped cybercriminals clean up through breaches against big retailers like Target and Home Depot. It was estimated that from mid-2013 to mid-2014, Russian hackers made $2.5 billion through POS and ATM attacks. As the types of POS malware increase in sophistication, retailers should be on alert, says Andrew Avanessian, executive vice president of consultancy and technology services at security firm Avecto.

"Particularly as the frequency and relative ease with which POS system breaches are occurring is forcing them to take a closer look at their IT infrastructure and reassess how secure it actually is," he continues, explaining that the 'antiquated' nature of POS systems lend themselves to being vulnerable to these types of attacks. "One possibility may lie with the POS systems which, in some organizations, are relatively antiquated. These tend to be legacy systems run on Windows XP for example which don't get patched regularly. In many cases they are not connected to a domain under stringent controls and therefore they are relatively easy to penetrate."

As Avanessian explains, the gradual roll-out of chip-and-pin technology will help ameliorate the risk of POS attacks, but it is still incumbent upon retailers to get better at the blocking-and-tackling of the security staples: patching, privilege management and application control for POS systems and the network system they're connected to. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/24/2015 | 5:00:32 PM
It will be nice when...
the information scraped from the POS terminals is either no longer valid, and/or can only be used by the first merchant to 'claim' the card number (and not be used over and over again).  Tokenization is the key.

Final -a startup located in Mtn. View, CA is working on this.  Check out: getfinal (dot) com.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-01
Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing exces...
PUBLISHED: 2020-06-01
modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload.
PUBLISHED: 2020-06-01
An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack.
PUBLISHED: 2020-06-01
An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.
PUBLISHED: 2020-06-01
In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/*.db or /etc/shadow file.