Attacks/Breaches
12/11/2012
04:19 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Dexter' Directly Attacks Point-of-Sale Systems

Attackers employ custom malware rather than physical skimmers to steal payment card information from PoS systems in 40 countries

Point-of-sale (PoS) systems at major retailers, hotel chains, and restaurants worldwide have been hit by new custom malware that targets the PoS.

Researchers at Seculert, who discovered the so-called "Dexter" malware, won't name names of the companies with the 200 to 300 active attacks against their PoS systems across 40 countries. Remote malware attacks against PoS systems aren't new, but most PoSes fall victim to physical skimming attacks, where the bad guys rig the devices with sniffers that steal debit- and credit-card information on-site at the stores or other payment machines.

Barnes & Noble was the most recent high-profile retailer to get owned by a PIN-pad scam. Rogue PIN pad devices discovered in September at more than 60 Barnes & Noble stores nationwide appeared to be the handiwork of a well-orchestrated financial fraud scheme that rigged just one device at each store. The compromised devices were found in some stores in California, Connecticut, Florida, New Jersey, New York, Illinois, Massachusetts, Pennsylvania, and Rhode Island.

Barnes & Noble provided few details of the compromise, except that the devices had been tampered with in some way and implanted with "bugs" that allowed the criminals to capture payment card PIN numbers. Security experts speculated that the crime involved physical tampering with the devices. It's unclear whether that attack is at all related to Dexter, however.

[Rogue PIN pad devices discovered at more than 60 Barnes & Noble stores nationwide appear to be the handiwork of a well-orchestrated financial fraud scheme that rigged just one device at each store. See Barnes & Noble Stores Targeted In Nationwide Payment Card-Skimming Scam.]

"We cannot comment on specific victims of the attack," says Aviv Raff, CTO at Seculert. "I can say that there are different retailers that were part of the victim list. The main idea was to see that there are attacks against such PoS systems that can be easily used to take Track 1 and Track 2 data and use that information to clone credit cards," Raff says.

This approach is actually simpler and less risky than affixing a skimmer to the PIN pad devices, he says. "The problem with a skimmer is you have to go there physically to install it. It's easier to remotely be able to hit such systems and get the same results," Raff says.

Most of the victim businesses are English-speaking, with 42 percent based in North America, and 19 percent in the U.K. The attackers behind this custom-built malware appear to speak fluent English, according to Seculert's Raff, and don't appear to be the typical Eastern European cybercrime gang. "All of the tools" they used are in English, he says.

Dexter works like this: It searches the process list in the operating system for PoS software. "It sends out memory dumps to the command-and-control server, and searches for Track 1 and Track 2 data. These track formats have very unique [markers] so they are easy to find within memory," Raff says. Some 30 percent of the targeted PoS systems were running Windows Server. Because that's not a typical OS for browsing, the initial infections were likely via drive-by Web downloads or other Web-based attacks, Raff notes. The initial infection vector remains unknown, he says.

Researchers at Trusteer in April spotted a remote access Trojan (RAT) tool for sale for $280 in underground forums that targets hotel computers at a global hotel chain. The RAT infects hotel front-desk computers with spyware that lifts customer payment information: It spreads via spear-phishing emails or instant messages, as well as via drive by downloads.

"As we have mentioned in recent posts, criminals are increasingly expanding the focus of their attacks from online banking targets to enterprises. One of the reasons for this shift is that enterprise devices can yield high value digital assets when compromised," said Amit Klein, Trusteer CTO, in a blog post about the RAT.

But Dexter -- which Seculert named after a string of code found in one of the malware files -- is different than the RAT-for-sale. "It's not being sold in underground forums, and it's custom-made by a specific attacking group," Seculert's Raff says.

Dexter also uses an online tool to parse the payment card information, a stealthier approach. "Usually, malware tries to do that on the device, but that sometimes makes it easier for security solutions to identify it as an attack," he says.

Seculert's full post on Dexter, with screenshots, is here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/17/2012 | 8:04:24 PM
re: 'Dexter' Directly Attacks Point-of-Sale Systems





This
sounds like one nasty little malware. There is a lot of sensitive
data that is kept on POS systems. Companies keep all sorts of
customer information in their databases. Take for example a car
dealerships point of view contains license, plate, dmv info, credit
info., and purchase history. That just saved an awful lot of time
that would have had to been gotten through social engineering and
research. 40 countries are feeling the effects I can't imagine that
this will be as much of a that in the near future.

Paul
Sprague

InformationWeek
Contributor

Mark Bower
50%
50%
Mark Bower,
User Rank: Apprentice
12/13/2012 | 12:52:46 AM
re: 'Dexter' Directly Attacks Point-of-Sale Systems
See my other comment and details here:
http://superconductor.voltage....
Mark Bower
50%
50%
Mark Bower,
User Rank: Apprentice
12/13/2012 | 12:52:18 AM
re: 'Dexter' Directly Attacks Point-of-Sale Systems
There's an easy approach for this that many merchants are already using with great success - details below. In a nutshell, never let the POS see the cardholder data, but do it in such as way that the POS doesn't have to change and can still use the protected data.

http://superconductor.voltage....

Disclaimer: I work for a vendor providing payment transaction security technology to US payment acquirers, processors, gateways and merchants.
EliSowash
50%
50%
EliSowash,
User Rank: Apprentice
12/12/2012 | 2:10:05 PM
re: 'Dexter' Directly Attacks Point-of-Sale Systems
Seems to me to be fairly easy to mitigate. Keep the POS terminals off the internet. Run their outbound-átraffic through a central proxy and 'whitelist' the websites they can access. Close down all the other egress ports. If the malware can't check into the C&C server, this attack is largely unsuccessful. Too bad we don't know the initial infection mechanism yet, although I'll wager it's-áa phishing email.

Oh yeah, and take another look at PCI-áReq. 1.3.3.
macker490
50%
50%
macker490,
User Rank: Ninja
12/12/2012 | 1:25:36 PM
re: 'Dexter' Directly Attacks Point-of-Sale Systems
Fixing the Point of Sale Terminal (POST)

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
12/12/2012 | 3:47:58 AM
re: 'Dexter' Directly Attacks Point-of-Sale Systems
There have been numerous attacks on POS systems over the years, and the technology doesn't seem to have become a lot more secure. Any readers out there hear of good solutions for securing POS?
--Tim Wilson, editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4973
Published: 2014-09-23
The ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the Firewall Module Build 1183 (20140214) and earlier in ESET Smart Security and ESET Endpoint Security products 5.0 through 7.0 allows local users to gain privileges via a crafted argument to a 0x830020CC IOCTL call.

CVE-2014-5392
Published: 2014-09-23
XML External Entity (XXE) vulnerability in JobScheduler before 1.6.4246 and 7.x before 1.7.4241 allows remote attackers to cause a denial of service and read arbitrary files or directories via a request containing an XML external entity declaration in conjunction with an entity reference.

CVE-2014-6646
Published: 2014-09-23
The bellyhoodcom (aka com.tapatalk.bellyhoodcom) application 3.4.23 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6647
Published: 2014-09-23
The ElForro.com (aka com.tapatalk.elforrocom) application 2.4.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6648
Published: 2014-09-23
The iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application 3.3.20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio