The holiday season is here and with it comes a rise in credit card use. Cybercriminals know this and have been infecting consumer PCs with information stealing trojans for years. Recently however, Seculert identified a growing trend whereby cybercriminals are targeting Point of Sale (POS) systems. Instead of going through the trouble of infecting tens of thousands of consumer PCs or physically installing a skimmer, an attacker can achieve the same results by targeting just a few POS systems with specially crafted malware. Dexter is one example of such malware.
Dexter is custom-made malware that has been used over the past 2-3 months to infect hundreds POS systems. Some of the targeted POS systems include big-name retailers, hotels, restaurants and even private parking providers. The name Dexter comes from a string found in one of the malware related files and its Track 1 / Track 2 online parsing tool (See Figure 1).
The POS systems targeted by Dexter are located in 40 different countries worldwide. 42 percent of the POS systems are located in North America, while 19 percent are located in the United Kingdom (See Figure 2).
Dexter is stealing the process list from the infected machine, while parsing memory dumps of specific POS software related processes, looking for
Track 1 / Track 2 credit card data. This data will most likely be used by cybercriminals to clone credit cards that were used in the targeted POS system (see cloning demo video here).
How POS systems are targeted is yet to be known for sure, but by observing the administration panel of Dexter (See Figure 3), Seculert was able to identify that over 30 percent of the targeted POS systems were using Windows Servers (See Figure 4). This is an unusual number for regular “web-based social engineering” or “drive-by download” infection methods.
The following are MD5s of Dexter related malware samples:
Is your network compromised? Take a free trial of Seculert and discover threats your other security solutions have missed.