Arbor Networks researchers recently discovered a new family of malware, codenamed Soraya, that combines memory scraping techniques found in the POS malware Dexter with form-grabbing abilities witnessed in PC Trojan virus Zeus.
Soraya has already compromised thousands of payment cards, out of which nearly 64% of compromised cards were debit cards and nearly 35% were credit cards.
The majority of these cards were issued in the US, notably Idaho, while more than 21% of cards were issued in Costa Rica and more than 11% of cards in Canada. These have the potential of further infecting home computers and point-of-sale (POS) devices.
Matt Bing and Dave Loftus, security research analysts at Arbor Networks who discovered Soraya, said that it could date back to March 2014 but was identified only in May. They were able to access payment card track data from a command-and-control server as the attacker made it temporarily available from a public location.
In a blog post, they said that use of multiple techniques in the same malware is not common but it is difficult to know how the malware is being distributed, and till now, they are not able to determine which specific businesses were affected.
"We have a general idea where some of the infections exist," Loftus said. "We have sent the compromised payment card data to the major card providers. They will likely determine the common point of purchases associated with the cards and notify the affected businesses."
Up until now, the traditional techniques for stealing data from PoS devices involved physical skimmer devices that captured track information as the card was inserted. But malware like Soraya can live on the PoS terminals themselves, enabling attackers to be less obtrusive with their operations.
Luhn Algorithm embedded in Soraya is another major issue, which has been identified. The algorithm is described as a simple technique which ensures that the 16 digit payment card number being entered is valid and not a random string of digits.
Elaborating on this, Loftus said: "A new feature of Soraya appears to be in development that enables Soraya to steal FTP credentials. Once this feature is completed, we believe Soraya will actively be sold to carders in the underground market."
Memory scraping malware like this was used as part of the Target breach and has been found in other retail attacks, as well.