POS Providers Targeted by PoSeidon Malware

Researchers recently discovered a new strain of malware, known as PoSeidon, designed to steal credit and debit card information from compromised POS devices. PoSeidon has already been implicated in numerous breaches targeting numerous businesses including restaurants, bars, and hotels. Unlike previous POS-targeted attacks that focused on larger companies like Target and Home Depot, cybercriminals have decided to start focusing on smaller retailers. Targeting these smaller POS users has made it especially difficult for financial institutions to track credit card fraud and represents nothing more than the latest iteration in a constantly evolving cat-and-mouse game between cybercriminals and financial institutions around the world.

Smaller institutions tend to have less security than large corporations, but the real reason why hackers have started targeting smaller retailers is because of a tool commonly used by banks known as “common point-of-purchase” (CPP). When a batch of stolen credit cards goes up for sale on the Dark Web, banks will often purchase a small number of the stolen credit cards to determine if the victims all shopped at the same retailer during a specific time period. This is how the CPP is established and it this technique has been used to identify some of the largest retail breaches over the last few years.

By targeting large numbers of small retailers, hackers are able to circumvent the CPP tool because it becomes much more difficult – if not impossible – to establish a common merchant that could be the source of the breach.

Cybercriminals have also been relying on another technique in recent months known as “making sausage.” This technique involves mixing stolen cards from multiple victims into new batches of stolen cards; further increasing the difficulty of finding a CPP and ultimately, tracking the origin of the breach (or stopping it from continuing for that matter). In addition to the aforementioned issues when tracking these breaches, it becomes even more difficult for banks to identify and stop breaches that target a specific POS vendor. This occurs because banks are not directly connected to the POS vendor or the retailers being serviced by the breached POS system.

POS Providers Targeted by PoSeidon Malware

Recently, for instance, a POS vendor known as NEXTEP Systems experienced a breach and banks were unable to determine a CPP after investigation because the overwhelming number of merchants affected by the breach were all NEXTEP customers. This makes it nearly impossible to determine the exact location(s) of the breach (i.e. it cannot be tracked down to a specific merchant or retail location). PoSeidon has also affected a Naples, FL-based POS vendor – Bevo POS – and the breach was likely responsible for compromised credit card information in over a dozen restaurants and bars in Florida.

The trend of targeting smaller businesses for the purposes of credit card fraud is further exemplified by the fact that many black market credit card shops, such as Rescator, have moved away from selling cards stolen from major retailers; instead focusing on selling batches of cards that contain data stolen from these restaurants, bars, and other small retailers.

This makes the source(s) of the breach harder to trace and subsequently, allows the hackers behind black market card sites like Rescator to continuously sell stolen information without any recourse (legal or otherwise). Protecting yourself from malware like PoSeidon is as simple as keeping track of your financial statements and immediately reporting any suspicious charges to your financial institution. Since PoSeidon directly affects the POS systems used by retailers, there is no proactive protection against this threat (at least not from a consumer standpoint).

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal