PoSeidon malware dives deep into POS, Cisco warns

Cisco Systems is warning of a new breed of malware technology, nicknamed PoSeidon, that targets point-of-sale systems.

This is bad news for retailers that are still reeling from the many data breaches of recent history, such as those that hit Target, Home Depot, Staples and Supervalu. Target is still attempting to settle a class action suit from its 2013 breach, which affected as many as 110 million customers, for $10 million.

PoSeidon infects machines and scrapes their memory for credit card information, and then exfiltrates that data to servers—many hosted on Russian domains—where it can be harvested and likely resold, according to a post on Cisco Systems' blog. Data exfiltration is also known as data extrusion, and it is the unauthorized transfer of computer data.

When a system is infected, PoSeidon tries to maintain "persistence" so it will survive a system reboot and avoid detection, which is an advancement in hacking technology. It then contacts a command and control server, leading to the installation of a "keylogger."

"The keylogger is installed to pull credit card data," Craig Williams, senior technical leader for Cisco's Talos Security Intelligence and Research Group, told SCMagazine.com. "It is not uncommon for more sophisticated and current POS malware samples."

The malware then scans the infected POS device's memory for sequences of digits that could be payment card numbers, according to the blog. This leads to the payment card information being sent to the exfiltration server. The blog post describes many technical details about the threat.

"PoSeidon is interesting because it is self-updateable," Williams said. "It has interesting evasions by using the combination of XOR, Base64, etc., and it has direct communication with the exfiltration servers, as opposed to common POS malware, which logs and stores for future exfiltration from another system."

Cybercriminals will continue to target POS systems and use increasingly sophisticated obfuscation techniques to maintain access, Caspida CEO and co-founder Muddu Sudhakar told eSecurity Planet. "Enterprises must stop granting unfettered access to employees and third parties that are allowing cybercriminals to take advantage by installing malware like PoSeidon.

"Organizations need to be more proactive and take preventative measures by looking at threats based on behavior and strengthen its encryption. Cybercriminals are oftentimes taking advantage of enterprises that have not rolled out basic security hygiene and security best practices that have been discussed since the Target breach was first reported in December 2013," he added.

PoSeidon is another in a growing number of POS malware threats demonstrating sophisticated techniques and approaches. According to the Cisco blog, attackers will continue to target POS systems and employ various obfuscation techniques in an attempt to avoid detection, and as long as POS attacks continue to provide returns, attackers will continue to invest in innovation and development of new malware families. Cisco urges network administrators to remain vigilant and adhere to industry best practices to ensure coverage and protection against advancing malware threats.

This story was updated on March 30, 2015 to correct the spelling of Muddu Sudhakar's name.

For more:
-See this Cisco blog post
-See this SCMagazine.com article
-See this eSecurity Planet article
-See this Computer Business Review article

Related stories:
Backoff malware targets retailers
Target: Timeline of a data breach
How to prevent Target-like data breaches
Retailers still unprepared for security breaches
Retail security issues move from CIO to the C-suite