This content is part of the Essential Guide: How to prepare for the emerging threats to your systems and data
Get started Bring yourself up to speed with our introductory content.

PoSeidon: Inside the evolving world of point-of-sale malware

Point-of-sale malware, such as the recent PoSeidon malware, continues to evolve to avoid detection. So what's an enterprise to do? Expert Nick Lewis explains how the malware functions and what organizations can do about it.

Malware targeting point-of-sale terminals has continued to be an area of active development for criminal gangs. These underground groups rely on capturing card data and never seem to be saturated from the glut of compromised credit card numbers. However, as breaches are detected and issues resolved, credit card companies and banks have been quick to distribute new cards to consumers that had their numbers compromised -- a good thing for consumers and a bad thing for attackers.

To keep pace with the replacement of compromised credit cards and stay ahead of enterprise malware defenses, point-of-sale (POS) malware authors need to maintain their malware updates. This includes adopting new strategies for compromising systems while also taking steps to avoid detection.

This game of cat and mouse will inevitably continue until fundamental changes are made to how payments are handled.

In the meantime, let's explore how the recent PoSeidon point-of-sale malware works and what security teams can do about it.

The PoSeidon point-of-sale malware

The PoSeidon malware -- a new family of malware targeting point-of-sale systems -- uses RAM scraping to capture credit card numbers -- just as its Zeus and BlackPoS predecessors did -- but also includes a keylogger for capturing passwords, as well as other advanced functions.

When the multi-stage attack infects a local system, it downloads from a hardcoded command-and-control server the executable used for persistence and then encodes the targeted data -- credit card numbers and passwords -- to send to the exfiltration server. Once the malware executes and sets itself as a service to autostart in order to survive system reboots, it deletes the file to reduce the chances of being identified.

Most of the security controls that protect against the PoSeidon malware should already be implemented in POS environments to meet the PCI data security standards.

Cisco Talos researchers noted that many of the hardcoded IP addresses and domains used in the attack are Russian. While using Russian domain names, IPs registered to Russian ISPs or geolocated IPs in Russia does not necessarily mean a Russian, eastern European or Chinese criminal gang is responsible for the attack, monitoring for those indicators of compromise could help enterprises identify activities to investigate further.

The initial infection vector has yet to be clearly identified, but Talos researchers suggest it could be the keylogger used in the malware. But without identifying how the malware got on the POS system, it's difficult to identify which security controls failed. Also, there are no vulnerabilities or exploits identified in the malware, so the infection vector could be as simple -- yet effective -- as using a USB drive set to autorun the malware when plugged into the POS terminal.

Enterprise defenses against the PoSeidon malware

Most of the security controls that protect against the PoSeidon malware should already be implemented in POS environments to meet the requirements of the PCI Data Security Standards. For example, the first requirement -- installing and maintaining a firewall configuration to protect cardholder data, specifically requirement 1.1.4 for a firewall at each Internet connection and between any demilitarized zone and the internal network zone -- could have blocked access to unapproved outgoing external connections and blocked the malware from downloading the executable used for persistence. Additionally, PCI DSS requirement 10.6 -- review logs and security events for all system components to identify anomalies or suspicious activity -- could have detected suspicious network connections and initiated an investigation to detect the malware and potentially limit the amount of data compromised.

Additionally, the same security recommendations for mitigating RAM-scraping malware apply: Antimalware software -- particularly one that monitors for access to memory -- could help block malicious access. Meanwhile, whitelisting tools could stop malware from executing on endpoints, and restricting inbound and outbound network access can stop the PoSeidon malware.

Had strict IP network controls been in place at the organizations PoSeidon infected, it could have been much more difficult for malware authors to exfiltrate data, download additional malware components and connect to the command-and-control infrastructure. An attacker would need to identify how to exfiltrate the data on a per-network basis; this would likely result in significantly more errors by the attackers, which could lead to detection. To identify potentially compromised endpoints to further investigate, organizations could also monitor DNS traffic.  Talos released several indicators of compromise that could be included in a network or endpoint security tool to detect the malware. Potentially the most important indicator of compromise that would result in few false positives would be detecting an outgoing connection from the POS system to these URLs:

  • wondertechmy[.]com/pes/viewtopic.php
  • wondertechmy[.]ru/pes/viewtopic.php
  • wondwondnew[.]ru/pes/viewtopic.php

Any POS system sending data to one of these URLs must be investigated as an incident.

For many enterprises, the proper security controls should already be in place to support PCI compliance. While small and mid-sized organizations may rely on a service provider for their point-of-sale system and think the service provider maintains the POS security, this is just an assumption; SMBs should ensure information about providers' protection responsibilities is formally included in the contract for this service.

The long tail of PCI compliance will likely provide targets for criminals long past the implementation of the EMV standard. Discovery of the PoSeidon malware is another in a long line of malware used in attacks on POS systems. Only when enterprises implement the PCI Data Security Standard controls for the entire system can these types of malware be prevented.

About the author:
Nick Lewis, CISSP, is a program manager for the Trust and Identity in Education and Research initiative at Internet2, and previously was an information security officer at Saint Louis University. Nick received Master of Science degrees in information assurance from Norwich University in 2005 and in telecommunications from Michigan State University in 2002.

Next Steps

Learn more about point-of-sale malware and how to respond to it.

Whitelisting can prevent POS malware. Discover how.

This was last published in July 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal