Researchers recently discovered a new strain of malware, known as PoSeidon, designed to steal credit and debit card information from compromised POS devices. PoSeidon has already been implicated in numerous breaches targeting numerous businesses including restaurants, bars, and hotels. Unlike previous POS-targeted attacks that focused on larger companies like Target and Home Depot, cybercriminals have decided to start focusing on smaller retailers. Targeting these smaller POS users has made it especially difficult for financial institutions to track credit card fraud and represents nothing more than the latest iteration in a constantly evolving cat-and-mouse game between cybercriminals and financial institutions around the world.
Smaller institutions tend to have less security than large corporations, but the real reason why hackers have started targeting smaller retailers is because of a tool commonly used by banks known as “common point-of-purchase” (CPP). When a batch of stolen credit cards goes up for sale on the Dark Web, banks will often purchase a small number of the stolen credit cards to determine if the victims all shopped at the same retailer during a specific time period. This is how the CPP is established and it this technique has been used to identify some of the largest retail breaches over the last few years.
By targeting large numbers of small retailers, hackers are able to circumvent the CPP tool because it becomes much more difficult – if not impossible – to establish a common merchant that could be the source of the breach.
Cybercriminals have also been relying on another technique in recent months known as “making sausage.” This technique involves mixing stolen cards from multiple victims into new batches of stolen cards; further increasing the difficulty of finding a CPP and ultimately, tracking the origin of the breach (or stopping it from continuing for that matter). In addition to the aforementioned issues when tracking these breaches, it becomes even more difficult for banks to identify and stop breaches that target a specific POS vendor. This occurs because banks are not directly connected to the POS vendor or the retailers being serviced by the breached POS system.
Recently, for instance, a POS vendor known as NEXTEP Systems experienced a breach and banks were unable to determine a CPP after investigation because the overwhelming number of merchants affected by the breach were all NEXTEP customers. This makes it nearly impossible to determine the exact location(s) of the breach (i.e. it cannot be tracked down to a specific merchant or retail location). PoSeidon has also affected a Naples, FL-based POS vendor – Bevo POS – and the breach was likely responsible for compromised credit card information in over a dozen restaurants and bars in Florida.
The trend of targeting smaller businesses for the purposes of credit card fraud is further exemplified by the fact that many black market credit card shops, such as Rescator, have moved away from selling cards stolen from major retailers; instead focusing on selling batches of cards that contain data stolen from these restaurants, bars, and other small retailers.
This makes the source(s) of the breach harder to trace and subsequently, allows the hackers behind black market card sites like Rescator to continuously sell stolen information without any recourse (legal or otherwise). Protecting yourself from malware like PoSeidon is as simple as keeping track of your financial statements and immediately reporting any suspicious charges to your financial institution. Since PoSeidon directly affects the POS systems used by retailers, there is no proactive protection against this threat (at least not from a consumer standpoint).