Security experts at Cisco have spotted in the wild a new Point-of-Sale (PoS) malware dubbed PoSeidon that is more sophisticated than previously detected PoS malware. The experts have discovered many similarities with the popular Zeus Trojan and use sophisticated methods to find card data respect other POS malware like BlackPoS, which was used to steal data from US giant retailers Target and Home Depot. The malware belongs to the scrapers family, malicious code that “scrape” POS memory searching for card numbers of principal card issuers (i.e. Visa, MasterCard, AMEX and Discover). In addition, it is capable of verifying if the numbers are valid by using the Luhn formula (The Luhn algorithm is a simple checksum formula used to validate a variety of identification numbers, such as credit card numbers). Once in execution Poseidon starts with a Loader binary that operates to maintain persistence on the victim’s machine, then it receive other components from the C&C servers. Among the binaries downloaded by the loader there is also a Keylogger component used to steal passwords and could have been the initial infection vector.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street