Dexter malware infects point-of-sale systems worldwide, researchers say

Dexter malware stole data for tens of thousands of payment cards in recent weeks, Seculert researchers say

Researchers from Israel-based IT security firm Seculert have uncovered a custom-made piece of malware that infected hundreds of point-of-sale (PoS) systems from businesses in 40 countries in the past few months and stole the data of tens of thousands of payment cards.

The malware was dubbed Dexter after a text string found in some of its components and infected Windows-based PoS systems belonging to big-name retailers, hotels, restaurants and even private parking providers, Seculert researchers said Tuesday in a blog post.

The company's researchers found a sample of the Dexter malware while investigating other threats, Aviv Raff, Seculert's chief technology officer, said Tuesday. After analyzing it, they were able to gain access to a command and control (C&C) server hosted in the Republic of Seychelles, where the malware uploaded the stolen payment card data, he said.

The Dexter malware sends a list of processes running on infected systems to the command and control server, Raff said. The attackers then check whether any of those processes correspond to specific PoS software and if they do, they instruct the malware to dump their memory and upload the data back to the server.

The memory dumps are then parsed with an online tool that runs on the server and can extract payment card "Track 1" and "Track 2" data from them. This is the information written on the magnetic stripes of payment cards and can be used to clone them, Raff said.

Since this is an ongoing attack it's hard to determine exactly how many PoS systems have been compromised so far, but it's probably between 200 and 300, Raff said. The total number of compromised payment cards is equally hard to estimate, but tens of thousands seems to have been compromised just in the past few weeks, he said.

According to statistics gathered from the C&C server, 30 percent of the infected PoS systems are located in the U.S., 19 percent in the U.K. and 9 percent in Canada. However, businesses from the Netherlands, Spain, South Africa, Italy, France, Russia, Poland, Brazil, Turkey and other countries have also been affected, painting the picture of a truly international criminal operation.

The origin of the attackers is unclear, but strings found in the malware suggest that the developers are fluent English speakers, Raff said. Malware writers tend to use words in their own language in the code, especially when they create custom tools like this one, he said.

A little over 50 percent of the infected systems run Windows XP, 17 percent run Windows Home Server, 9 percent run Windows Server 2003 and 7 percent run Windows 7.

The method used to infect these systems has not been determined yet, but given that many of them run Windows Server and are most likely not used for Web browsing, Raff believes that the attackers probably compromised other computers on the same networks first and then infected the PoS systems.

When Seculert's researchers found the Dexter sample, there were some antivirus programs that already detected it as malicious, Raff said. The company has since shared it with other vendors from the security industry, he said.

There seems to be a growing trend of cybercriminals infecting PoS systems with malware. Two weeks ago, Romanian authorities arrested 16 suspected members of a cybercrime ring that installed transaction data stealing malware on PoS systems belonging to foreign companies operating gas stations and grocery stores.

According to the authorities, the stolen data was either sold on underground websites or was used to create counterfeit payment cards. It's estimated that the criminal operation resulted in fraudulent transactions totaling over $25 million being performed with 500,000 payment cards.

It was later revealed that the companies targeted by the Romanian gang were mainly from Australia, so the gang behind the Dexter malware is probably a different one. However, Raff agreed that the methods of operation are very similar.

Raff said that if the targeted companies would have encrypted the data directly on the hardware PoS terminals before sending it out to their payment processing providers, a method commonly known as end-to-end encryption, attacks like the ones based on the Dexter malware could have been prevented.

However, the adoption of end-to-end encryption technology for card-present transactions is currently low, because it often requires the replacement of all PoS devices with newer models capable of encrypting the data.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityfraudmalwareSeculert

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?