PoSeidon, brother of Zeus, forks up point of sale terminals
When malware trident strikes, credit card companies shake
Cisco has found a new and stupendously badass breed of point of sale (POS) malware it says is meaner than the code that tore through Target.
The "PoSeidon" malware is built on the shoulders of infamous Zeus money sucking exploit kit and sports improvements to BlackPOS which plundered millions from Target payment terminals in 2013.
It scrapes memory from POS terminals, siphoning the captured card data off to Russian domains for likely resale, Cisco says.
"PoSeidon is another in the growing number of malware targeting POS systems that demonstrate the sophisticated techniques and approaches of malware authors," researchers say.
"Attackers will continue to target POS systems and employ various obfuscation techniques in an attempt to avoid detection.
"As long as POS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families."
Cisco says network administrators must adhere to industry best practices if they hope to present a challenge to POS malware.
PoSeidon contains a loader that maintains persistence on infected boxes to survive reboots and user log-outs. A subsequently downloaded binary
FindStr implants a keylogger which scans memory in pursuit of credit card number sequences.
Identified numbers are verified using the Lund algorithm and encrypted and shipped off to one of a dozen hardcoded command and control servers.
POS malware is effective in the United States in part because of the use of credit card magnetic stripes which could be captured and cloned in what underground fraud markets call dumps.
Credit card protection known as EMV that makes cloning cards much harder has been deployed in Australia since April 2013 and will apply to ATMs by year's end.