'Dexter' Malware Caught Swiping Credit Card Numbers From POS Systems

Known as Dexter, the malware has been at the center of attacks on POS devices in more than 40 countries, including the United States.

A new piece of malware is targeting point-of-sale (POS) systems at retailers, hotel chains and other businesses worldwide.

According to Seculert, the malware—known as "Dexter"—has been used in hundreds of attacks during the past two to three months. The malware has hit systems in 40 different countries, with the largest percentage (42 percent) in North America and 19 percent in the United Kingdom.

"Instead of going through the trouble of infecting tens of thousands of consumer PCs or physically installing a skimmer, an attacker can achieve the same results by targeting just a few POS systems with specially crafted malware," blogged Seculert CTO Aviv Raff. "Dexter is one example of such malware."

Retailers and their POS systems are being targeted increasingly by attackers. In October, federal authorities announced they were investigating a massive fraud operation discovered at 63 Barnes & Noble stores across the United States where PIN pad devices were tampered with as part of a scheme to steal debit and credit card information. The investigation was launched after Barnes & Noble revealed that a PIN pad in each of the affected stores had been compromised. In response to the discovery, the chain discontinued use of all PIN pads in its nearly 700 stores nationwide.

It is not clear if the attacks on the Barnes & Noble stores are linked to Dexter, and Seculert did not name any of the businesses affected.

"How POS systems are targeted is yet to be known for sure, but by observing the administration panel of Dexter ... Seculert was able to identify that over 30 percent of the targeted POS systems were using Windows Servers," Raff blogged. "This is an unusual number for regular 'Web-based social engineering' or 'drive-by download' infection methods."

According to Raff, the malware steals the process list from the infected machine while parsing memory dumps of specific POS software-related process in search of Track 1/Track 2 credit card data. The data will most likely be used by cyber-criminals to clone credit cards used on the targeted POS system, he said.

"POS systems are often the weak link in the chain and the choice of malware," said Mark Bower, vice president at Voltage Security. "They should be isolated from other networks, but often are connected. And as a checkout is in constant use, they are less frequently patched and updated and thus vulnerable to all manner of malware compromise."

This is why the PCI Council supports point-to-point encryption, he said, adding that for most merchants, the solution of dealing with risks of this kind is to encrypt payment card data before it gets to the POS or checkout. With Format-Preserving Encryption (FPE), mag-stripe data such as credit card numbers are all protected while retaining the track and primary account number structure and format, he said.

"If the POS is breached, the data will be useless to the attacker," he said. "The trick is getting it right so that even though the data is protected and secure, it's still compatible to the payment applications in the merchant's systems and in the POS itself. That's where Format-Preserving Encryption (FPE) comes in—the NIST-recognized FFX mode AES [Advanced Encryption Standard] in particular.

"The good news is that savvy merchants are already tackling this risk and giving the malware nothing to steal through solutions that also have a dramatic cost-reducing benefit to PCI compliance," he added.