Attacks/Breaches
12/11/2012
04:19 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Dexter' Directly Attacks Point-of-Sale Systems

Attackers employ custom malware rather than physical skimmers to steal payment card information from PoS systems in 40 countries

Point-of-sale (PoS) systems at major retailers, hotel chains, and restaurants worldwide have been hit by new custom malware that targets the PoS.

Researchers at Seculert, who discovered the so-called "Dexter" malware, won't name names of the companies with the 200 to 300 active attacks against their PoS systems across 40 countries. Remote malware attacks against PoS systems aren't new, but most PoSes fall victim to physical skimming attacks, where the bad guys rig the devices with sniffers that steal debit- and credit-card information on-site at the stores or other payment machines.

Barnes & Noble was the most recent high-profile retailer to get owned by a PIN-pad scam. Rogue PIN pad devices discovered in September at more than 60 Barnes & Noble stores nationwide appeared to be the handiwork of a well-orchestrated financial fraud scheme that rigged just one device at each store. The compromised devices were found in some stores in California, Connecticut, Florida, New Jersey, New York, Illinois, Massachusetts, Pennsylvania, and Rhode Island.

Barnes & Noble provided few details of the compromise, except that the devices had been tampered with in some way and implanted with "bugs" that allowed the criminals to capture payment card PIN numbers. Security experts speculated that the crime involved physical tampering with the devices. It's unclear whether that attack is at all related to Dexter, however.

[Rogue PIN pad devices discovered at more than 60 Barnes & Noble stores nationwide appear to be the handiwork of a well-orchestrated financial fraud scheme that rigged just one device at each store. See Barnes & Noble Stores Targeted In Nationwide Payment Card-Skimming Scam.]

"We cannot comment on specific victims of the attack," says Aviv Raff, CTO at Seculert. "I can say that there are different retailers that were part of the victim list. The main idea was to see that there are attacks against such PoS systems that can be easily used to take Track 1 and Track 2 data and use that information to clone credit cards," Raff says.

This approach is actually simpler and less risky than affixing a skimmer to the PIN pad devices, he says. "The problem with a skimmer is you have to go there physically to install it. It's easier to remotely be able to hit such systems and get the same results," Raff says.

Most of the victim businesses are English-speaking, with 42 percent based in North America, and 19 percent in the U.K. The attackers behind this custom-built malware appear to speak fluent English, according to Seculert's Raff, and don't appear to be the typical Eastern European cybercrime gang. "All of the tools" they used are in English, he says.

Dexter works like this: It searches the process list in the operating system for PoS software. "It sends out memory dumps to the command-and-control server, and searches for Track 1 and Track 2 data. These track formats have very unique [markers] so they are easy to find within memory," Raff says. Some 30 percent of the targeted PoS systems were running Windows Server. Because that's not a typical OS for browsing, the initial infections were likely via drive-by Web downloads or other Web-based attacks, Raff notes. The initial infection vector remains unknown, he says.

Researchers at Trusteer in April spotted a remote access Trojan (RAT) tool for sale for $280 in underground forums that targets hotel computers at a global hotel chain. The RAT infects hotel front-desk computers with spyware that lifts customer payment information: It spreads via spear-phishing emails or instant messages, as well as via drive by downloads.

"As we have mentioned in recent posts, criminals are increasingly expanding the focus of their attacks from online banking targets to enterprises. One of the reasons for this shift is that enterprise devices can yield high value digital assets when compromised," said Amit Klein, Trusteer CTO, in a blog post about the RAT.

But Dexter -- which Seculert named after a string of code found in one of the malware files -- is different than the RAT-for-sale. "It's not being sold in underground forums, and it's custom-made by a specific attacking group," Seculert's Raff says.

Dexter also uses an online tool to parse the payment card information, a stealthier approach. "Usually, malware tries to do that on the device, but that sometimes makes it easier for security solutions to identify it as an attack," he says.

Seculert's full post on Dexter, with screenshots, is here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/17/2012 | 8:04:24 PM
re: 'Dexter' Directly Attacks Point-of-Sale Systems





This
sounds like one nasty little malware. There is a lot of sensitive
data that is kept on POS systems. Companies keep all sorts of
customer information in their databases. Take for example a car
dealerships point of view contains license, plate, dmv info, credit
info., and purchase history. That just saved an awful lot of time
that would have had to been gotten through social engineering and
research. 40 countries are feeling the effects I can't imagine that
this will be as much of a that in the near future.

Paul
Sprague

InformationWeek
Contributor

Mark Bower
50%
50%
Mark Bower,
User Rank: Apprentice
12/13/2012 | 12:52:46 AM
re: 'Dexter' Directly Attacks Point-of-Sale Systems
See my other comment and details here:
http://superconductor.voltage....
Mark Bower
50%
50%
Mark Bower,
User Rank: Apprentice
12/13/2012 | 12:52:18 AM
re: 'Dexter' Directly Attacks Point-of-Sale Systems
There's an easy approach for this that many merchants are already using with great success - details below. In a nutshell, never let the POS see the cardholder data, but do it in such as way that the POS doesn't have to change and can still use the protected data.

http://superconductor.voltage....

Disclaimer: I work for a vendor providing payment transaction security technology to US payment acquirers, processors, gateways and merchants.
EliSowash
50%
50%
EliSowash,
User Rank: Apprentice
12/12/2012 | 2:10:05 PM
re: 'Dexter' Directly Attacks Point-of-Sale Systems
Seems to me to be fairly easy to mitigate. Keep the POS terminals off the internet. Run their outbound-átraffic through a central proxy and 'whitelist' the websites they can access. Close down all the other egress ports. If the malware can't check into the C&C server, this attack is largely unsuccessful. Too bad we don't know the initial infection mechanism yet, although I'll wager it's-áa phishing email.

Oh yeah, and take another look at PCI-áReq. 1.3.3.
macker490
50%
50%
macker490,
User Rank: Ninja
12/12/2012 | 1:25:36 PM
re: 'Dexter' Directly Attacks Point-of-Sale Systems
Fixing the Point of Sale Terminal (POST)

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
12/12/2012 | 3:47:58 AM
re: 'Dexter' Directly Attacks Point-of-Sale Systems
There have been numerous attacks on POS systems over the years, and the technology doesn't seem to have become a lot more secure. Any readers out there hear of good solutions for securing POS?
--Tim Wilson, editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio