Attacks/Breaches
12/11/2012
04:19 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Dexter' Directly Attacks Point-of-Sale Systems

Attackers employ custom malware rather than physical skimmers to steal payment card information from PoS systems in 40 countries

Point-of-sale (PoS) systems at major retailers, hotel chains, and restaurants worldwide have been hit by new custom malware that targets the PoS.

Researchers at Seculert, who discovered the so-called "Dexter" malware, won't name names of the companies with the 200 to 300 active attacks against their PoS systems across 40 countries. Remote malware attacks against PoS systems aren't new, but most PoSes fall victim to physical skimming attacks, where the bad guys rig the devices with sniffers that steal debit- and credit-card information on-site at the stores or other payment machines.

Barnes & Noble was the most recent high-profile retailer to get owned by a PIN-pad scam. Rogue PIN pad devices discovered in September at more than 60 Barnes & Noble stores nationwide appeared to be the handiwork of a well-orchestrated financial fraud scheme that rigged just one device at each store. The compromised devices were found in some stores in California, Connecticut, Florida, New Jersey, New York, Illinois, Massachusetts, Pennsylvania, and Rhode Island.

Barnes & Noble provided few details of the compromise, except that the devices had been tampered with in some way and implanted with "bugs" that allowed the criminals to capture payment card PIN numbers. Security experts speculated that the crime involved physical tampering with the devices. It's unclear whether that attack is at all related to Dexter, however.

[Rogue PIN pad devices discovered at more than 60 Barnes & Noble stores nationwide appear to be the handiwork of a well-orchestrated financial fraud scheme that rigged just one device at each store. See Barnes & Noble Stores Targeted In Nationwide Payment Card-Skimming Scam.]

"We cannot comment on specific victims of the attack," says Aviv Raff, CTO at Seculert. "I can say that there are different retailers that were part of the victim list. The main idea was to see that there are attacks against such PoS systems that can be easily used to take Track 1 and Track 2 data and use that information to clone credit cards," Raff says.

This approach is actually simpler and less risky than affixing a skimmer to the PIN pad devices, he says. "The problem with a skimmer is you have to go there physically to install it. It's easier to remotely be able to hit such systems and get the same results," Raff says.

Most of the victim businesses are English-speaking, with 42 percent based in North America, and 19 percent in the U.K. The attackers behind this custom-built malware appear to speak fluent English, according to Seculert's Raff, and don't appear to be the typical Eastern European cybercrime gang. "All of the tools" they used are in English, he says.

Dexter works like this: It searches the process list in the operating system for PoS software. "It sends out memory dumps to the command-and-control server, and searches for Track 1 and Track 2 data. These track formats have very unique [markers] so they are easy to find within memory," Raff says. Some 30 percent of the targeted PoS systems were running Windows Server. Because that's not a typical OS for browsing, the initial infections were likely via drive-by Web downloads or other Web-based attacks, Raff notes. The initial infection vector remains unknown, he says.

Researchers at Trusteer in April spotted a remote access Trojan (RAT) tool for sale for $280 in underground forums that targets hotel computers at a global hotel chain. The RAT infects hotel front-desk computers with spyware that lifts customer payment information: It spreads via spear-phishing emails or instant messages, as well as via drive by downloads.

"As we have mentioned in recent posts, criminals are increasingly expanding the focus of their attacks from online banking targets to enterprises. One of the reasons for this shift is that enterprise devices can yield high value digital assets when compromised," said Amit Klein, Trusteer CTO, in a blog post about the RAT.

But Dexter -- which Seculert named after a string of code found in one of the malware files -- is different than the RAT-for-sale. "It's not being sold in underground forums, and it's custom-made by a specific attacking group," Seculert's Raff says.

Dexter also uses an online tool to parse the payment card information, a stealthier approach. "Usually, malware tries to do that on the device, but that sometimes makes it easier for security solutions to identify it as an attack," he says.

Seculert's full post on Dexter, with screenshots, is here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/17/2012 | 8:04:24 PM
re: 'Dexter' Directly Attacks Point-of-Sale Systems





This
sounds like one nasty little malware. There is a lot of sensitive
data that is kept on POS systems. Companies keep all sorts of
customer information in their databases. Take for example a car
dealerships point of view contains license, plate, dmv info, credit
info., and purchase history. That just saved an awful lot of time
that would have had to been gotten through social engineering and
research. 40 countries are feeling the effects I can't imagine that
this will be as much of a that in the near future.

Paul
Sprague

InformationWeek
Contributor

Mark Bower
50%
50%
Mark Bower,
User Rank: Apprentice
12/13/2012 | 12:52:46 AM
re: 'Dexter' Directly Attacks Point-of-Sale Systems
See my other comment and details here:
http://superconductor.voltage....
Mark Bower
50%
50%
Mark Bower,
User Rank: Apprentice
12/13/2012 | 12:52:18 AM
re: 'Dexter' Directly Attacks Point-of-Sale Systems
There's an easy approach for this that many merchants are already using with great success - details below. In a nutshell, never let the POS see the cardholder data, but do it in such as way that the POS doesn't have to change and can still use the protected data.

http://superconductor.voltage....

Disclaimer: I work for a vendor providing payment transaction security technology to US payment acquirers, processors, gateways and merchants.
EliSowash
50%
50%
EliSowash,
User Rank: Apprentice
12/12/2012 | 2:10:05 PM
re: 'Dexter' Directly Attacks Point-of-Sale Systems
Seems to me to be fairly easy to mitigate. Keep the POS terminals off the internet. Run their outbound-átraffic through a central proxy and 'whitelist' the websites they can access. Close down all the other egress ports. If the malware can't check into the C&C server, this attack is largely unsuccessful. Too bad we don't know the initial infection mechanism yet, although I'll wager it's-áa phishing email.

Oh yeah, and take another look at PCI-áReq. 1.3.3.
macker490
50%
50%
macker490,
User Rank: Ninja
12/12/2012 | 1:25:36 PM
re: 'Dexter' Directly Attacks Point-of-Sale Systems
Fixing the Point of Sale Terminal (POST)

The POST will need to be re-designed to accept customer "Smart Cards"

The Customer Smart Card will need an on-board processor, -- with PGP

When the customer presents the card it DOES NOT send the customer's card number to the POST. Instead, the POST will submit an INVOICE to the customer's card. On customer approval the customer's card will encrypt the invoice together with authorization for payment to the PCI ( Payment Card Industry Card Service Center ) for processing and forward the cipher text to the POST

Neither the POST nor the merchant's computer can read the authorizing message because it is PGP encrypted for the PCI service. Therefore the merchant's POST must forward the authorizing message cipher text to the PCI service center.

On approval the PCI Service Center will return an approval note to the POST and an EFT from the customer's account to the merchant's account.

The POST will then print the PAID invoice. The customer picks up the merchandise and the transaction is complete.

The merchant never knows who the customer was: the merchant never has ANY of the customer's PII data.

Cards are NOT updated. They are DISPOSABLE and are replaced at least once a year -- when the PGP signatures are set to expire. Note that PGP signatures can also be REVOKED if the card is lost.
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
12/12/2012 | 3:47:58 AM
re: 'Dexter' Directly Attacks Point-of-Sale Systems
There have been numerous attacks on POS systems over the years, and the technology doesn't seem to have become a lot more secure. Any readers out there hear of good solutions for securing POS?
--Tim Wilson, editor, Dark Reading
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-3636
Published: 2014-10-25
D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.