Soraya malware targets payment card data on POS devices and home computers

Share this article:
Study finds payment card info most compromised, breach detection lags
Malware that targets POS devices and home computers has compromised thousands of payment cards.

Home computers and point-of-sale (POS) devices are both being targeted by a recently identified piece of malware that has already compromised thousands of payment cards – the majority of which were issued in the United States.

On May 23, Arbor Networks researchers discovered Soraya, a piece of malware that combines memory scraping techniques found in Dexter, a POS malware, with form grabbing abilities seen in Zeus, a trojan that impacts PCs running Windows.

Using multiple techniques in the same malware is fairly uncommon, Matt Bing and Dave Loftus, a pair of security research analysts with Arbor Networks who wrote about the threat in a Monday post, told SCMagazine.com in a Tuesday correspondence.

“Memory scraping is typically only found in malware directly targeting [POS] systems, and form grabbing is typically [used] to steal data being sent to websites, including payment card information and passwords,” Bing said.

The Soraya malware, which Bing and Loftus said likely dates back to March 2014, has already compromised thousands of payment cards.

The researchers were able to access payment card track data from a command-and-control server – the attacker made it temporarily available from a public location – and determined that more than 65 percent of cards were issued in the United States, notably in Idaho.

More than 21 percent of cards were issued in Costa Rica and more than 11 percent of cards were issued in Canada, according to the post, which adds that nearly 64 percent of compromised cards were debit cards and nearly 35 percent were credit cards.

The author of Soraya remains a mystery and there has been no solid evidence to show how the malware is being distributed, the researchers said, adding that they also have been unable to determine specific businesses or other victims that have been compromised.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

FBI to open Malware Investigator portal to security researchers

The portal is a virus analysis tool that examines suspicious files and shares information about them.

Android bug allowing SOP bypass farther reaching than initially thought

Researchers found that 42 out of the top 100 apps in the Google Play store with 'browser' in their names were vulnerable.

SUPERVALU and AB Acquisition LLC report being breached again

SUPERVALU and AB Acquisition LLC report being breached ...

The breaches involved different malware and both companies are investigating whether payment card information was stolen.