Soraya malware targets payment card data on POS devices and home computers

Share this article:
Study finds payment card info most compromised, breach detection lags
Malware that targets POS devices and home computers has compromised thousands of payment cards.

Home computers and point-of-sale (POS) devices are both being targeted by a recently identified piece of malware that has already compromised thousands of payment cards – the majority of which were issued in the United States.

On May 23, Arbor Networks researchers discovered Soraya, a piece of malware that combines memory scraping techniques found in Dexter, a POS malware, with form grabbing abilities seen in Zeus, a trojan that impacts PCs running Windows.

Using multiple techniques in the same malware is fairly uncommon, Matt Bing and Dave Loftus, a pair of security research analysts with Arbor Networks who wrote about the threat in a Monday post, told SCMagazine.com in a Tuesday correspondence.

“Memory scraping is typically only found in malware directly targeting [POS] systems, and form grabbing is typically [used] to steal data being sent to websites, including payment card information and passwords,” Bing said.

The Soraya malware, which Bing and Loftus said likely dates back to March 2014, has already compromised thousands of payment cards.

The researchers were able to access payment card track data from a command-and-control server – the attacker made it temporarily available from a public location – and determined that more than 65 percent of cards were issued in the United States, notably in Idaho.

More than 21 percent of cards were issued in Costa Rica and more than 11 percent of cards were issued in Canada, according to the post, which adds that nearly 64 percent of compromised cards were debit cards and nearly 35 percent were credit cards.

The author of Soraya remains a mystery and there has been no solid evidence to show how the malware is being distributed, the researchers said, adding that they also have been unable to determine specific businesses or other victims that have been compromised.

Page 1 of 2
Share this article:

Sign up to our newsletters

More in News

New backdoor 'Baccamun' spreads through ActiveX exploit

Symantec researchers revealed that the backdoor is dropped after attackers exploit a Windows ActiveX vulnerability.

Outdated browsers put U.K. users at risk of malware

A blog post on Check and Secure website said 70 percent of U.K. users haven't fully updated their internet browsers

Survey: 53 percent change privileged logins quarterly

A Lieberman Software survey highlights the issue or poor password management, even among security pros.