Criminals seeking more buyers with all-in-one malware

Security researchers have discovered multipurpose malware capable of stealing payment card numbers from electronic cash registers and data entered in Web forms through a browser.

[ATM malware, controlled by a text message, starts spewing cash]

The authors of the malware, dubbed Soraya, are also working on adding capabilities for stealing credentials for FTP servers. However, that feature is not fully baked, so researchers at Arbor Networks Security Engineering and Response Team (ASERT) are not sure how the credentials would be stolen.

"At this point, that feature hasn't been implemented, so we don't know how it will actually work," David Loftus, research analyst for ASERT, said Tuesday.

The versatility of Soraya, which means "rich" in Iranian, makes it unique, researchers said. The authors are likely trying to make their software as marketable as possible on the criminal underground.

"It's sort of an all-in-one package for the malware authors," Matthew Bing, another research analyst at ASERT, said.

The piece of Soraya that could be used in attacking retailers' electronic cash registers, called point-of-sale (POS) systems, scrapes debit- and credit-card numbers from memory after cardholders swipe their cards at the register.

The technique is similar to what was used in the Target breach that led to the theft of 10s of millions of payment card numbers during last year's holiday shopping season. Soraya is not related to the Target malware.

A twist in Soraya's memory scraping is its use of the Luhn algorithm, a formula used to determine which numbers collected are valid payment card numbers.

"Previously, RAM (random access memory) scrapers had just grabbed any 16-digit long string, but this one, Soraya, is just a little bit more sophisticated," Bing said.

At least a couple of thousand valid debit- and credit-card numbers have been stolen through Soraya and posted for sale on criminal forums, the researchers said. Most of the numbers have been taken from U.S. businesses, with the remainder from companies in Costa Rica and Canada.

POS malware has become popular on online criminal marketplaces, since the Target attack, Loftus said.

"Since the Target breach, we've seen an explosion in the different variants of point-of-sale malware," he said.

To reduce the risk of having a POS system hacked, the researchers recommend using them only for transactions, do not make them accessible from a remote location and replace default passwords with strong ones.

[Malware infections tripled in late 2013, Microsoft finds]

The side of Soraya that can steal data inputted into Web forms imitates capabilities used by the Zeus family of malware, which is popular among criminals for stealing online banking credentials.

Soraya, like other similar malware, sends captured data to a command-and-control server used by the cybercriminals.

Join the CSO newsletter!

Error: Please check your email address.

Tags arbor networkscybersecuritycyber criminalsapplicationssecurityData Protection | Application Securitypoint of sale securityAccess control and authenticationsoftwaredata protectionmalware

More about Arbor NetworksArbor NetworksMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts