News Feature | May 1, 2015

PoSeidon Malware Is Targeting POS Systems

Christine Kern

By Christine Kern, contributing writer

PoSeidon Malware Is Targeting POS Systems

Researchers at Cisco’s Talos Security Intelligence and Research Group have identified a new type of malware that targets payment card information on Point of Sale (POS) systems. The new malware, dubbed “PoSeidon,” actively takes steps to maintain persistence and includes the ability to update itself, according to SC Magazine.

Cisco explains that PoSeidon is “infecting machines to scrape memory for credit card information and exfiltrate that data to servers, also primarily .ru TLD, for harvesting and likely resale.” The blog post explains the steps that PoSeidon takes to attack a POS system. The data is exfiltrated to servers, many of which are hosted on Russian domains.

And according to Krebs On Security, PoSeidon “has been implicated in a number of recent breaches involving companies that provide POS services primarily to restaurants, bars, and hotels. The shift by the card thieves away from targeting major retailers like Target and Home Depot to attacking countless, smaller users of POS systems is giving financial institutions a run for their money as they struggle to figure out which merchants are responsible for card fraud.”

Upon infection, PoSeidon takes steps to achieve persistence so that the malware will survive in the event of a system reboot, according to the post, after which the C&C is contacted, and a minimal keylogger is installed.

“The keylogger is installed to pull credit card data,” Craig Williams, senior technical leader for Cisco’s Talos Security Intelligence and Research Group, tells “It is not uncommon for more sophisticated and current POS malware samples.”

The malware then scans the memory of the infected POS device for sequences of digits that could be payment card numbers, searching only for 16-digit sequences that begin with four, five, and six — numbers that represent MasterCard, Visa, and Discover cards — and 15-digit sequences beginning with three that signify American Express cards, according to Cisco. The Luhn algorithm is used to verifythat the numbers are actual payment card numbers.

“PoSeidon is interesting because it is self-updateable,” Williams said. “It has interesting evasions by using the combination of XOR, Base64, etc., and it has direct communication with the exfiltration servers, as opposed to common POS malware, which logs and stores for future exfiltration from another system.”