Cisco has discovered a new malware threat against Point-of-Sale (PoS) terminals that has the potential to pilfer credit card details. The threat appears to be a lot more damaging than the malware that infected Target.
The new malware family, which Cisco's Security Solutions team has nicknamed PoSeidon, scrapes the memory on PoS systems to try and grab credit card data that it then sends to its servers (primarily using Russian .ru domains) before they are harvested and eventually sold on.
PoSeidon starts off its work using a loader binary that, once executed, attempts to maintain a persistence on the target machine to survive any reboots. The loader then contacts a command and control server, thus retrieving a URL that contains another binary to be executed, called FindStr. This installs a keylogger, scans the memory of the PoS for number sequences that might be credit card numbers and sends them back to an exfiltration server.
Adhere to best practices
US retailer Target was subjected to a huge data breach in December 2013, resulting in approximately 40 million credit and debit card accounts compromised. Additionally, personal data such as names, addresses, and emails were stolen from a further 70 million.
That was also carried out using malware program that had its origins in Russia known as BlackPOS. In the face of the PoSeidon malware, Cisco is advising system administrators to adhere to industry best practices to stand up against this new PoS malware.