Incident Response, Malware, TDR

Soraya malware targets payment card data on POS devices and home computers

Home computers and point-of-sale (POS) devices are both being targeted by a recently identified piece of malware that has already compromised thousands of payment cards – the majority of which were issued in the United States.

On May 23, Arbor Networks researchers discovered Soraya, a piece of malware that combines memory scraping techniques found in Dexter, a POS malware, with form grabbing abilities seen in Zeus, a trojan that impacts PCs running Windows.

Using multiple techniques in the same malware is fairly uncommon, Matt Bing and Dave Loftus, a pair of security research analysts with Arbor Networks who wrote about the threat in a Monday post, told SCMagazine.com in a Tuesday correspondence.

“Memory scraping is typically only found in malware directly targeting [POS] systems, and form grabbing is typically [used] to steal data being sent to websites, including payment card information and passwords,” Bing said.

The Soraya malware, which Bing and Loftus said likely dates back to March 2014, has already compromised thousands of payment cards.

The researchers were able to access payment card track data from a command-and-control server – the attacker made it temporarily available from a public location – and determined that more than 65 percent of cards were issued in the United States, notably in Idaho.

More than 21 percent of cards were issued in Costa Rica and more than 11 percent of cards were issued in Canada, according to the post, which adds that nearly 64 percent of compromised cards were debit cards and nearly 35 percent were credit cards.

The author of Soraya remains a mystery and there has been no solid evidence to show how the malware is being distributed, the researchers said, adding that they also have been unable to determine specific businesses or other victims that have been compromised.

“We have a general idea where some of the infections exist,” Loftus said. “We have sent the compromised payment card data to the major card providers. They will likely determine the common point of purchases associated with the cards and notify the affected businesses.”

Another nifty feature of Soraya is that it incorporates the Luhn Algorithm, a simple technique that ensures a 16 digit payment card number is valid, and not a random string of digits, Bing said, explaining that the Luhn Algorithm does not ensure the number can be used for payment purposes.

“A new feature of Soraya appears to be in development that enables Soraya to steal FTP credentials,” Loftus said. “Once this feature is completed, we believe Soraya will actively be sold to carders in the underground market.”

From a business perspective, protecting against the Soraya threat involves using POS terminals dedicated exclusively for POS transactions, not using default credentials on POS devices, and ensuring that remote access to POS devices is restricted or disabled, according to the researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.