Skip to main content

Dexter malware: Underlining the need for PoS system encryption

A new piece of malware targeting point-of-sale systems and harvesting payment card data would be less successful if more payment data was encrypted in the first place.

Cyber-criminals used a customised piece of malware to infect hundreds of point-of-sale systems from businesses in 40 countries around the world, and stole data from tens of thousands of payment cards, researchers from Israel-based security firm Seculert discovered this week. Dubbed Dexter, it has been found on Windows-based point-of-sale systems at well-known retailers, hotels, restaurants and parking providers.

"PoS systems are often the weak link in the chain and the choice of malware," Mark Bower, vice-president of Voltage Security, told us.

While Seculert did not identify the companies who had been infected, it appears the largest group of victims is in the United States, at about 30 per cent, followed by the UK with 19 per cent. Affected countries include Brazil, France, Italy, the Netherlands, Poland, Russia, South Africa, Spain and Turkey.

"Instead of going through the trouble of infecting tens of thousands of consumer PCs or physically installing a skimmer, an attacker can achieve the same results by targeting just a few PoS systems with specially crafted malware," Seculert wrote.

We don't know how Dexter infects

How the malware infected the systems in the first place remains a mystery. A little over 50 per cent of the infected systems were running Windows XP, but over 30 per cent ran some variation of Windows Server (Windows Home Server, Server 2003, Server R2, Server 2008), Seculert found. The fact that nearly a third of the systems were running server software meant it was unlikely the malware infected the computer because the user was web surfing and accidentally landed on a malicious page.

"This is an unusual number for regular 'web-based social engineering' or 'drive-by download' infection methods," Seculert wrote.

It's very possible the infection entered the network by normal means, infecting an end-user machine through a malicious link in an email or by using web-based methods. Once the end-user machine was compromised, Dexter may have gone through the network looking for PoS systems.

PoS systems should be isolated from other networks, Bower said. This echoes what security experts regularly advise concerning industrial control systems. These specialised systems should be on isolated machines and not connected to the general corporate network, but many times they are connected for ease of maintenance and other reasons.

Dexter dumps PoS software data

In traditional PoS attacks, criminals physically install a modified hardware skimmer in order to intercept credit card numbers and other financial data from payment cards. With Dexter, the criminals can just remotely infect the systems running the PoS software without having to deal with the process of compromising the card reader or getting physical access to the system.

Once on the computer, Dexter transfers all PoS-related data, such as Track 1/Track 2 data (name, account number, expiration date, etc) stored on the payment card's magnetic strip, to a remote command-and-control server. All the harvested data is transferred to the C&C server and used to create cloned cards.

Encryption as defence

If the data collected by the PoS software had been encrypted, Dexter would not have been able to do anything with the stolen data. Even encrypted, the format and integrity is retained, so the software can still access the data without any problems. As far as the attacker is concerned, there's nothing of value to steal.

"Dexter would get nothing but useless encrypted data," Bower wrote on the Voltage Security blog.

If the hardware, such as the card readers, encrypted the data the second the information was collected, then it wouldn't matter if malware tried to dump the data out of the PoS software. However, that is much more expensive and difficult for smaller businesses to implement since it would mean all the existing hardware would need to be updated to newer models capable of encrypting data.