Dexter malware infects point-of-sale systems worldwide, researchers say

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.networkworld.com/news/2012/121112-dexter-malware-infects-point-of-sale-systems-264985.html

IDG News Service - Researchers from Israel-based IT security firm
Seculert have uncovered a custom-made piece of malware that infected
hundreds of point-of-sale (PoS) systems from businesses in 40
countries in the past few months and stole the data of tens of
thousands of payment cards.

The malware was dubbed Dexter after a text string found in some of its
components and infected Windows-based PoS systems belonging to
big-name retailers, hotels, restaurants and even private parking
providers, Seculert researchers said Tuesday in a blog post.

The company's researchers found a sample of the Dexter malware while
investigating other threats, Aviv Raff, Seculert's chief technology
officer, said Tuesday. After analyzing it, they were able to gain
access to a command and control (C&C) server hosted in the Republic of
Seychelles, where the malware uploaded the stolen payment card data,
he said.

The Dexter malware sends a list of processes running on infected
systems to the command and control server, Raff said. The attackers
then check whether any of those processes correspond to specific PoS
software and if they do, they instruct the malware to dump their
memory and upload the data back to the server.

The memory dumps are then parsed with an online tool that runs on the
server and can extract payment card "Track 1" and "Track 2" data from
them. This is the information written on the magnetic stripes of
payment cards and can be used to clone them, Raff said.

Since this is an ongoing attack it's hard to determine exactly how
many PoS systems have been compromised so far, but it's probably
between 200 and 300, Raff said. The total number of compromised
payment cards is equally hard to estimate, but tens of thousands seems
to have been compromised just in the past few weeks, he said.

According to statistics gathered from the C&C server, 30 percent of
the infected PoS systems are located in the U.S., 19 percent in the
U.K. and 9 percent in Canada. However, businesses from the
Netherlands, Spain, South Africa, Italy, France, Russia, Poland,
Brazil, Turkey and other countries have also been affected, painting
the picture of a truly international criminal operation.

The origin of the attackers is unclear, but strings found in the
malware suggest that the developers are fluent English speakers, Raff
said. Malware writers tend to use words in their own language in the
code, especially when they create custom tools like this one, he said.

A little over 50 percent of the infected systems run Windows XP, 17
percent run Windows Home Server, 9 percent run Windows Server 2003 and
7 percent run Windows 7.

The method used to infect these systems has not been determined yet,
but given that many of them run Windows Server and are most likely not
used for Web browsing, Raff believes that the attackers probably
compromised other computers on the same networks first and then
infected the PoS systems.

When Seculert's researchers found the Dexter sample, there were some
antivirus programs that already detected it as malicious, Raff said.
The company has since shared it with other vendors from the security
industry, he said.

There seems to be a growing trend of cybercriminals infecting PoS
systems with malware. Two weeks ago, Romanian authorities arrested 16
suspected members of a cybercrime ring that installed transaction data
stealing malware on PoS systems belonging to foreign companies
operating gas stations and grocery stores.

According to the authorities, the stolen data was either sold on
underground websites or was used to create counterfeit payment cards.
It's estimated that the criminal operation resulted in fraudulent
transactions totaling over $25 million being performed with 500,000
payment cards.

It was later revealed that the companies targeted by the Romanian gang
were mainly from Australia, so the gang behind the Dexter malware is
probably a different one. However, Raff agreed that the methods of
operation are very similar.

Raff said that if the targeted companies would have encrypted the data
directly on the hardware PoS terminals before sending it out to their
payment processing providers, a method commonly known as end-to-end
encryption, attacks like the ones based on the Dexter malware could
have been prevented.

However, the adoption of end-to-end encryption technology for
card-present transactions is currently low, because it often requires
the replacement of all PoS devices with newer models capable of
encrypting the data.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.