Seculert, an Israeli-based security firm, uncovered powerful new malware that targets POS systems. In a Sept. 11, 2012, blog post, Seculert reported that the so-called Dexter malware has infected hundreds of POS systems in 40 different countries worldwide over the last two to three months. Seculert said 42 percent of the infected POS systems are located in North America, with an additional 19 percent of the systems located in the United Kingdom.
Seculert does not know how Dexter targeted POS systems, but did note that over 30 percent of the targeted POS systems were running on servers that use the Microsoft Corp. operating system. Seculert called that percentage unusually high for "regular 'web-based social engineering' or 'drive-by-download' infection methods." According to the security firm, the goal of Dexter is to "steal the process list from the infected machine, while parsing memory dumps of specific POS software related processes, looking for track 1/track 2 credit card data."
Josh Grunzweig, Researcher, SpiderLabs at security firm Trustwave, believes Dexter is a common example of malware when viewed at a high level. He said, "It only has three purposes in life - to always be running on the victim machine; to find any card, or track, data in any running program on the victim; and to communicate with the attacker that is controlling it." Grunzweig said Trustwave's SpiderLabs encounters this type of malware all the time in its forensic investigations. But what is unique about Dexter is that it communicated with its host using normal communication channels, but encoded those communications with what Grunzweig characterized as a custom technique.
"It would send out a message to the attacker, by default, every 5 minutes," Grunzweig said. "It would also check the victim to see if there was any track data in its running programs every 60 seconds. If the malware found track data, it would send it out with the next message to the attacker. This cycle repeated until the malware was uninstalled. It also had the ability to receive commands by the attacker. The attacker had the ability to change those timers I previously mentioned, could download and install additional malware, or could remove Dexter altogether."
Grunzweig added, "It's still unclear exactly how the malware is getting on the machines it infects, but at its core Dexter is really no different from other malware."
Mark Bower, Vice President Product Management at enterprise data protection provider Voltage Security Inc., said in a blog post that POS systems are often targeted by fraudsters. "POS systems are often the weak link in the chain and the choice of malware," he wrote. "They should be isolated from other networks, but often are connected. And as a checkout is in constant use, they are less frequently patched and updated and thus vulnerable to all manner of malware compromise. They often store cardholder data."
Bower said end-to-end data encryption (E2E) technology minimizes the risk from fraud schemes like Dexter. E2E technology encrypts payment data when a bankcard is swiped through a POS terminal. "If the POS is breached, the data will be useless to the attacker," he wrote. "The trick is getting it right so that even though the data is protected and secure, it's still compatible to the payment applications in the merchants' systems and in the POS itself."
With E2E technology, data is theoretically protected throughout the lifecycle of the transaction. Bower said merchants' security responsibilities from a Payment Card Industry Data Security Standard perspective are significantly reduced by E2E solutions. "When implemented correctly, this can dramatically reduce the cost of PCI compliance and solve huge risk challenges easily," he noted. "No data, no gold to steal."
Grunzweig urges ISOs and retailers to stay vigilant by "keeping systems up-to-date with the latest patches, ensuring that no default credentials are present on the devices, and really just a defense-in-depth approach will go a long way in ensuring that your systems are not compromised with Dexter, or any other malware for that matter."
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next