Incident Response, Malware, TDR

In new campaign, Dexter point-of-sale malware strikes U.S. and abroad

The point-of-sale (POS) malware, dubbed “Dexter,” which recently impacted banks in South Africa costing businesses millions, is actively being used to steal credit card data in the U.S. and abroad, analysts warn.

In a Tuesday blog post, researchers on Arbor Networks' security engineering and response team (ASERT), revealed that two servers hosting Dexter, and other POS malware, called Project Hook, were discovered early last month.

In a follow up interview that day, Curt Wilson, a senior research analyst at ASERT, told that variants of Dexter and Project Hook had compromised around 500 POS systems worldwide since October.

He added that businesses should be privy to the growing threat of POS malware.

"We've got Dexter, Project Hook, and other malware called VSkimmer; and there are probably others that are out there right now," Wilson said, later adding that threat actors will get a hold of sensitive card data any place they can.

"People that are running point-of-sale systems should take better care of them to keep them from turning into a point of pain," he added.

Of the Dexter and Project Hook infections, Dexter malware appeared to be most active on compromised systems, the ASERT team found. Countries throughout the Eastern Hemisphere (including Africa, where researchers noted a resurgence of the malware in October), appeared to get the brunt of the infections. 

In the blog post, the team posted a map of recent POS infections in the Eastern and Western Hemispheres.

A report (PDF) detailing the campaign, called “Dexter and Project Hook Break the Bank,” also revealed additional findings about the malware.

Of note, there appears to be three variants of Dexter – Stardust, Millenium (spelled as such, after a malware file name), and Revelation.

The “Revelation” iteration of the Windows-based malware has been compromising point-of-sale systems from Oct. 13 through the present, researchers discovered.

According to the report, the Revelation variant uses file transfer protocol (FTP) to steal debit and credit card information from victims.

“The FTP site contents suggests a small number (12-14) of compromised machines dumped data between October 13 and November 11 [and] ongoing…The small number of apparent victim machines suggests that this is a small campaign or is perhaps a test of some sort,” the report said.

Last December, Israel-based advanced threat detection company Seculert discovered Dexter. At that time, researchers shed light on a 2 to 3 month campaign infecting hundreds of POS systems. That campaign was also widespread in its geographical impact, affecting 40 countries, with 35 percent of infections occurring in the U.S.

Seculert noted last year that some of the targeted POS systems included “big-name retailers, hotels, restaurants and even private parking providers.”

In the recent campaign against POS systems, ASERT has not determined what infection vector was used to compromise businesses, but the report said that “POS systems suffer from the same security challenges that any other Windows-based deployment does,” so weak credentials accessible over remote desktop or open wireless networks, were mentioned as possible vulnerable points for businesses.

In addition, social engineering attacks, and physical access (tampering) with POS systems were also named as potential routes.

Wilson warned that small businesses, in particular, are a promising target for attackers spreading the malware.

"A lot of [the victims] look like they are smaller retailers – probably those who don't have the robust security you would like to see in these cases," Wilson said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.