A new trojan targeting point-of-sale(PoS) terminals has recently been discovered by researchers from Cisco’s Security Solutions.
Poseidon consists of 3 parts: a keylogger, a loader and a memory scraper. The keylogger is designed to steal the credentials from LogMeIn logins. It deletes the encrypted passwords and profiles from the system registry in order to force users to enter them in again. After the attackers gain the credentials to the PoS terminal they install a loader which persists even through system reboots and downloads another file from a hard coded list of servers. This downloaded program is named FindStr which is used to find strings that match credit card numbers in the memory of the PoS. It specifically looks “only looks for number sequences that start with: 6, 5, 4 with a length of 16 digits (Discover, Visa, Mastercard) and 3 with a length of 15 digits”. these strings are then verified using an algorithm to ensure that they are credit card numbers and uploads an encrypted version to external servers.
This attack is possible because the credit card numbers are not encrypted end to end. The credit card numbers are contained in plain text in memory and there are very few systems that do encrypt them.
Because the trojan’s loader contacts the servers to download the FindStr program this allows for updates to the program. The program also has defenses in place against reverse engineering.