Infosec researchers and fraud threat-detection firm Seculert are reporting that a point-of-sale malware program named Dexter has 200-to-300 active attacks against merchants in 40 countries. Some 42% of attacks are currently happening in North America and 19% in the United Kingdom.
Seculert published a detailed blog entry on its site Tuesday. Infections occurred during the past 2-to-3 months. Fraudsters installed the malware in the systems of “big-name retailers, hotels, restaurants and even private parking providers” running various versions of the Windows operating system, according to the post.
Dexter is stealing the process list from the infected machine, while parsing memory dumps of specific POS software related processes, looking for Track 1 / Track 2 credit card data. This data will most likely be used by cybercriminals to clone credit cards that were used in the targeted POS system.
How POS systems are targeted is yet to be known for sure, but by observing the administration panel of Dexter, Seculert was able to identify that over 30 percent of the targeted POS systems were using Windows Servers. This is an unusual number for regular “web-based social engineering” or “drive-by download” infection methods.
One astute commenter on the blog post asked:
Are the targeted systems POS devices, or back office servers?
I ask, as when I was performing these types of exams, we found RAM scrapers on the back office server…the actual POS devices themselves didn’t run Windows.
If the POS devices are what’s being compromised, that’s interesting…many smaller organizations may have many POS devices, but only one back office server.
How would you think that the bad guy is gaining access to the POS device?
Dark Reading has quotes from Seculert, additional commentary that discusses Seculert’s findings, and more detail on the Barnes & Noble point-of-sale attack.
Remote malware attacks against PoS systems aren’t new, but most PoSes fall victim to physical skimming attacks, where the bad guys rig the devices with sniffers that steal debit- and credit-card information on-site at the stores or other payment machines. Barnes & Noble was the most recent high-profile retailer to get owned by a PIN-pad scam. Rogue PIN pad devices discovered in September at more than 60 Barnes & Noble stores nationwide appeared to be the handiwork of a well-orchestrated financial fraud scheme that rigged just one device at each store.
Barnes & Noble provided few details of the compromise, except that the devices had been tampered with in some way and implanted with “bugs” that allowed the criminals to capture payment card PIN numbers. Security experts speculated that the crime involved physical tampering with the devices. It’s unclear whether that attack is at all related to Dexter, however.