'Dexter' Directly Attacks Point-of-Sale Systems

Attackers employ custom malware rather than physical skimmers to steal payment card information from PoS systems in 40 countries
Point-of-sale (PoS) systems at major retailers, hotel chains, and restaurants worldwide have been hit by new custom malware that targets the PoS.

Researchers at Seculert, who discovered the so-called "Dexter" malware, won't name names of the companies with the 200 to 300 active attacks against their PoS systems across 40 countries. Remote malware attacks against PoS systems aren't new, but most PoSes fall victim to physical skimming attacks, where the bad guys rig the devices with sniffers that steal debit- and credit-card information on-site at the stores or other payment machines.

Barnes & Noble was the most recent high-profile retailer to get owned by a PIN-pad scam. Rogue PIN pad devices discovered in September at more than 60 Barnes & Noble stores nationwide appeared to be the handiwork of a well-orchestrated financial fraud scheme that rigged just one device at each store. The compromised devices were found in some stores in California, Connecticut, Florida, New Jersey, New York, Illinois, Massachusetts, Pennsylvania, and Rhode Island.

Barnes & Noble provided few details of the compromise, except that the devices had been tampered with in some way and implanted with "bugs" that allowed the criminals to capture payment card PIN numbers. Security experts speculated that the crime involved physical tampering with the devices. It's unclear whether that attack is at all related to Dexter, however.

[Rogue PIN pad devices discovered at more than 60 Barnes & Noble stores nationwide appear to be the handiwork of a well-orchestrated financial fraud scheme that rigged just one device at each store. See Barnes & Noble Stores Targeted In Nationwide Payment Card-Skimming Scam.]

"We cannot comment on specific victims of the attack," says Aviv Raff, CTO at Seculert. "I can say that there are different retailers that were part of the victim list. The main idea was to see that there are attacks against such PoS systems that can be easily used to take Track 1 and Track 2 data and use that information to clone credit cards," Raff says.

This approach is actually simpler and less risky than affixing a skimmer to the PIN pad devices, he says. "The problem with a skimmer is you have to go there physically to install it. It's easier to remotely be able to hit such systems and get the same results," Raff says.

Most of the victim businesses are English-speaking, with 42 percent based in North America, and 19 percent in the U.K. The attackers behind this custom-built malware appear to speak fluent English, according to Seculert's Raff, and don't appear to be the typical Eastern European cybercrime gang. "All of the tools" they used are in English, he says.

Dexter works like this: It searches the process list in the operating system for PoS software. "It sends out memory dumps to the command-and-control server, and searches for Track 1 and Track 2 data. These track formats have very unique [markers] so they are easy to find within memory," Raff says. Some 30 percent of the targeted PoS systems were running Windows Server. Because that's not a typical OS for browsing, the initial infections were likely via drive-by Web downloads or other Web-based attacks, Raff notes. The initial infection vector remains unknown, he says.

Researchers at Trusteer in April spotted a remote access Trojan (RAT) tool for sale for $280 in underground forums that targets hotel computers at a global hotel chain. The RAT infects hotel front-desk computers with spyware that lifts customer payment information: It spreads via spear-phishing emails or instant messages, as well as via drive by downloads.

"As we have mentioned in recent posts, criminals are increasingly expanding the focus of their attacks from online banking targets to enterprises. One of the reasons for this shift is that enterprise devices can yield high value digital assets when compromised," said Amit Klein, Trusteer CTO, in a blog post about the RAT.

But Dexter -- which Seculert named after a string of code found in one of the malware files -- is different than the RAT-for-sale. "It's not being sold in underground forums, and it's custom-made by a specific attacking group," Seculert's Raff says.

Dexter also uses an online tool to parse the payment card information, a stealthier approach. "Usually, malware tries to do that on the device, but that sometimes makes it easier for security solutions to identify it as an attack," he says.

Seculert's full post on Dexter, with screenshots, is here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.