Criminals seeking more buyers with all-in-one malware

Researchers discover malware built to steal data from Web forms in browsers and payment card numbers from electronic cash registers

Security researchers have discovered multipurpose malware capable of stealing payment card numbers from electronic cash registers and data entered in Web forms through a browser.

[ATM malware, controlled by a text message, starts spewing cash]

The authors of the malware, dubbed Soraya, are also working on adding capabilities for stealing credentials for FTP servers. However, that feature is not fully baked, so researchers at Arbor Networks Security Engineering and Response Team (ASERT) are not sure how the credentials would be stolen.

"At this point, that feature hasn't been implemented, so we don't know how it will actually work," David Loftus, research analyst for ASERT, said Tuesday.

The versatility of Soraya, which means "rich" in Iranian, makes it unique, researchers said. The authors are likely trying to make their software as marketable as possible on the criminal underground.

"It's sort of an all-in-one package for the malware authors," Matthew Bing, another research analyst at ASERT, said.

The piece of Soraya that could be used in attacking retailers' electronic cash registers, called point-of-sale (POS) systems, scrapes debit- and credit-card numbers from memory after cardholders swipe their cards at the register.

The technique is similar to what was used in the Target breach that led to the theft of 10s of millions of payment card numbers during last year's holiday shopping season. Soraya is not related to the Target malware.

A twist in Soraya's memory scraping is its use of the Luhn algorithm, a formula used to determine which numbers collected are valid payment card numbers.

"Previously, RAM (random access memory) scrapers had just grabbed any 16-digit long string, but this one, Soraya, is just a little bit more sophisticated," Bing said.

At least a couple of thousand valid debit- and credit-card numbers have been stolen through Soraya and posted for sale on criminal forums, the researchers said. Most of the numbers have been taken from U.S. businesses, with the remainder from companies in Costa Rica and Canada.

POS malware has become popular on online criminal marketplaces, since the Target attack, Loftus said.

"Since the Target breach, we've seen an explosion in the different variants of point-of-sale malware," he said.

To reduce the risk of having a POS system hacked, the researchers recommend using them only for transactions, do not make them accessible from a remote location and replace default passwords with strong ones.

[Malware infections tripled in late 2013, Microsoft finds]

The side of Soraya that can steal data inputted into Web forms imitates capabilities used by the Zeus family of malware, which is popular among criminals for stealing online banking credentials.

Soraya, like other similar malware, sends captured data to a command-and-control server used by the cybercriminals.

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)