PoSeidon
The strategies and software that cybercriminals use to collect sensitive data from users and businesses are always evolving. However, there are some methods that seem to be timeless – a good example of this is Point-of-Sale (PoS) malware. These threats have been around for over a decade, and despite all the security measures taken to strengthen the security of PoS devices, the cybercriminals continue to target them by using more advanced malware. One of the more popular PoS malware families to be spotted in the wild goes by the name PoSeidon, and it has allowed its operators to collect the credit card details of thousands of customers thanks to attacks against retailers and businesses that do not adhere to the latest security practices.
The infection vector that the attackers use to drop the PoSeidon is not known, but researchers suspect that they might be relying on distribution via infected USB sticks, or by exploiting vulnerable remote desktop software and services. Apart from serving as a memory scraper that looks for credit card details, the PoSeidon also may operate as a keylogger that appears to pay special attention to the remote desktop program LogMeIn Ignition. Once the malware is initialized, it may access the LogMeIn Ignition’s Registry keys and retrieve the user’s email address. After it does this, it deletes the saved profiles, therefore prompting the users to enter their password the next time they initialize LogMeIn Ignition – this is likely to enhance the keylogger’s chances of obtaining the valuable remote desktop software credentials greatly.
However, the primary purpose of the PoSeidon malware is to scan the memory of running processes and exfiltrate credit card information. Its authors have implemented a basic check that is meant to reduce the amount of work the malware needs to carry out. It only looks for the following strings:
- Sixteen digits, starting with either 4, 5 or 6.
- Fifteen digits, starting with 3.
Cards that match these criteria are either issued by Discover, Mastercard, Visa or AMEX. Of course, that’s not enough to validate the credit card numbers, and that’s why PoSeidon will also use the Luhn algorithm to verify that the extracted data is indeed linked to a valid credit or debit card.
The exfiltrated keystrokes and credit card details are then transferred to one of the remote servers that the attackers use for data storage exclusively – all domains are hosted on Russian addresses and have a Russian domain registration.
Cybercriminals have proven that they are always ready to take their campaigns and malware to the next level, and the PoSeidon malware is no exception. This threat serves as a good reminder of why businesses worldwide should take their customers’ security seriously, and the required measures to protect their systems.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.