New Dexter Point-of-Sale Malware Campaigns Discovered

Arbor Networks researchers report the discovery of two servers hosting Dexter and Project Hook point of sale malware.

The pesky Dexter point-of-sale malware, discovered more than a year ago, remains active primarily in Russia, the Middle East and Southeast Asia, while its cousin Project Hook is finding similar success in the United States, prompting experts to sound an alarm as holiday commerce ramps up.

Researchers at Arbor Networks last month found two servers hosting the Windows-based malware, heralding newly active campaigns.

Dexter and Project Hook differ from more traditional point-of-sale attacks which rely on skimmers physically installed on endpoints, or phishing emails luring users on Windows machines hosting the PoS software. Instead, the malware is injected into files hosted on Windows servers before scraping credit card numbers as they’re entered via the PoS system.

Arbor Networks senior research analyst Curt Wilson said the two new Dexter servers were found in November; law enforcement as well as the Financial Services Information Sharing and Analysis Center (FS-ISAC) were informed. Wilson said during a two-week period when Arbor researchers were monitoring activity on the servers, they saw 533 infected endpoints call back to the command and control infrastructure.

“The way the attackers had the server set up, we saw credit card data posted to the site,” Wilson said. “The attackers were clearing the log files periodically, so there’s no telling how long these campaigns have been ongoing.”

Arbor identified three versions of Dexter: Stardust, which is likely the original version; Millenium; and Revelation. Revelation is likely the latest version and it is capable of moving stolen data not only over HTTP as previous versions, but also over FTP, a first for POS malware, Wilson said. Wilson added that Arbor researchers have not been able to determine how the initial infections are happening. The two command servers, he said, are no longer online.

Dexter was discovered more than a year ago and reported by researchers at Seculert, who reported at the time that campaigns were claiming victims at big retail operations, hotels and restaurants. At the time there were victims in 40 countries, most of those in the U.S. and the United Kingdom.

“Dexter is stealing the process list from the infected machine, while parsing memory dumps of specific POS software related processes, looking for Track 1 / Track 2 credit card data,” Seculert CTO Aviv Raff wrote in a blogpost last December. “This data will most likely be used by cybercriminals to clone credit cards that were used in the targeted POS system.”

Point-of-sale systems present hackers with a target-rich environment. The systems are often reachable online and are usually guarded with default or weak passwords that are child’s play for a brute force or dictionary attack. The last two Verizon Data Breach Investigations Reports have identified small retailers and hospitality providers as the primary victims in such opportunistic attacks because of limited security resources.

Wilson said some of the victimized machines were not dedicated PoS servers; one in particular was also hosting a physical security management system that ran access control and card reader software.

“The data being exfiltrated that we’ve seen suggests that the compromised machines are doubling up functions and running point of sale on a machine doing something else. PoS machines should be dedicated, locked down and have special policies applied to it,” Wilson said. “That’s a bad practice to pile so much on one system.  An attacker with access to credit card data would also have access to anything else the management system has access too.”

Wilson said that the initial infections could be happening either via phishing emails luring victims to sites hosting Dexter or Project Hook, or the attackers are taking advantage of default credentials to access these systems remotely.

“With the holidays, there’s going to be more PoS activity and a higher volume of transactions. Now would be a good time to fortify security,” Wilson said. “The basics should cover this. There are IDS signatures written for this malware, and there are indicators of compromise floating around; basic antimalware should catch the process-injection techniques used here.”

Meanwhile, Ars Technica reported today the discovery of the first botnet targeting point-of-sale systems. A Los Angeles security company called IntelCrawler found the botnet which had infected close to 150 Subway sandwich shops stealing 146,000 credit card numbers.

Suggested articles