Is Dexter related to the cyber-malware that has
hit US retailers such as Target , Neiman Marcus
and Michaels Stores ?
New Virus Threatens Banking Systems
Cyber security researchers have detected a virus in online banking transactions, warning customers who swipe debit or credit cards at shopping counters as well as companies who stock them. This is according to TechRadar Pro.
The virus, which is spreading at a “severe” rate according to CERT, has been detected operating in point of sale (PoS) counters at retail terminals in Asia, infecting their connection to online banking sources. Named “Dexter”, it can acquire several aliases when infecting systems.
Malware programs designed for PoS systems are commonly referred to as RAM scrapers, because they search the terminal’s random access memory (RAM) for transaction data and steal it. PoS systems are actually computers with peripherals like card readers and keypads attached to them. Many of these systems run a version of Windows Embedded as the OS as well as special cash register software.
Once the virus breaches the security of the target, it then begins to mine confidential data, including names, account numbers, sort codes and expiration dates. With the information from a card’s magnetic stripe, known as track 1 and track 2 data, cybercriminals can effectively clone the card.
CERT, in an advisory, said that the malware campaigns targeting payment card processing, point-of-sale and check-out systems are on the rise, due to the ease of copying data. Many security firms have stressed in recent months that companies should shore up the security systems of the PoS terminals to avoid any form of compromise.
Last week it was revealed that U.S retail giant Target had been infected with a PoS virus that had stolen the names and addresses of 70 million customers.
'Dexter' trojan affecting PoS terminals in India,
steals card information
Cyber-security sleuths have detected a "black" private information stealing trojan in the Indian online banking transactions space, and have alerted consumers who swipe debit or credit cards at shopping counters to make payments.
I saw a recent headline “Dexter Strikes South Africa”.
And I thought he was hiding out in Alaska!
The "severely" spreading trojan been detected conducting its clandestine operations at the Point of Sale (PoS) counters placed at retail terminals after the RBI made it mandatory in December last year for debit cards holders to punch in their PIN every time they make a purchase.
The trojan named "Dexter, black PoS, memory dump and grabber" can acquire seven aliases when infecting a system and once it is successful in breaching the security protocols of a PoS terminal, it steals confidential data like card holder's name, account number, expiration date, CVV code and other discretionary information which could lead to financially compromising and phishing attacks on the card at a later stage.
"It has been reported that malware campaigns targeting payment card processing, point-of-sale (PoS), check out systems or equipment are on the rise.
"The common infection vectors for PoS system malwares includes phishing emails or social engineering techniques to deliver the malware, use of default or weak credentials, unauthorised access, open wireless networks along with the methods of installing malware as a part of service," a latest advisory issued to the public by the Computer Emergency Response Team (CERT-India) said.
The CERT-In is the nodal department to protect Indian cyberspace and software base infrastructure against any destructive and hacking activities.
The trojan is so potent and deadly that once it steals the sensitive data it quietly exits the infected machine without leaving much trail of its existence.
"The malware has routines to collect and parse personal sensitive information from the running processes in memory by enumerating the PoS related processes and has procedure to exfiltrate directly without interim storing in the hard disk," the advisory said.
In order to save debit cards from financial frauds and loss of hard earned money of the holder, the RBI had made it mandatory for punching of the PIN of the customer at the PoS, which is nothing but an individuals ATM PIN.
A senior official working in the counter-cyber attacks department said while customers should be vigilant about their debit and credit cards activities at sale counters swiping, PoS terminals should also firm up their defence mechanisms so that their systems are not compromised.
The agency has suggested some counter-measures against these malware attacks.
"Keep all PoS computers thoroughly updated including PoS application software, restrict access on PoS systems to PoS related activities only, ensure the networks where the PoS systems reside are properly segmented from non-payment network and restrictive policies on usage should be deployed and enforced," the agency recommended.
The agency also pointed out that PoS counters should "maintain good security policy on the PoS computers (including physical access), disable autorun or autoplay, install and scan anti-malware engines and keep them up-to-date and exercise caution while visiting links within emails received from untrusted users or unexpectedly received from trusted users while also enabling firewall at desktop and gateway level."
Dexter is a Killer: Virus Places Point of Sale Systems at Risk
October 23, 2013 | By Kevin Judge
I saw a recent headline “Dexter Strikes South Africa”.
And I thought he was hiding out in Alaska!
I was a big fan of the TV series Dexter, the show about an amiable vigilante serial killer who works for the Miami Metro Police Homicide department. The series end, which was a bit of disappointment, left him hiding out as a lumberjack in Alaska. I’m hoping that Dexter will resurface, perhaps in a movie.
I was not happy, however, to see that Dexter’s computer virus namesake has resurfaced. It was first discovered in 2012 by Israeli computer firm Seculert. Dexter is a notorious cyber fraud malware program that compromises credit card payment systems running on Windows and has led to tens of millions of dollars in losses.
Security experts eventually got a handle on. Unfortunately, a new version has recently resurfaced in South Africa and is as malicious as ever. This new variant has led to million’s dollars of losses in recent months alone. It is linked to a series of attacks witnessed in UK, US among other countries where The malware stole the magnetic strip information off of payment cards to make clones. The attackers used these clones of cards to make fraudulent purchases. while the actual bill amount was sent the cardholder. Any retailer with a point of sale system is vulnerable. KFC, my favorite chicken restaurant, was reported to be a big victim.
Fortunately, the Dexter malware is not capable of stealing a cards ATM pin code or CVV payment authentication numbers. That means the thieves have to use the cards in person, at retail outlets.
Regarding this new version of Dexter, a spokesman for Seculert was quoted in SC Magazine as saying “My recommendation is to use security solutions which focus on full protection against advanced threats, rather than just prevention.”
If that sounds familiar, then you have been paying attention to what we say about Comodo Internet Security (CIS). It’s Default/Deny with autosandboxing architecture ensures that all files that could harm your computer are denied access to the system.
Tantalizing Clues in Dexter Malware Lead to Mystery Man…and Zeus
The Dexter malware is getting some media attention this week – and not just because the malware shares its name with Showtime’s popular drama about a serial killer by the same name. (Not that those of us tasked to write catchy headlines don’t love stuff like that – ’cause we do.)
No, the Dexter virus caught the attention of malware analysts because it infects point of sale (POS) systems like electronic cash registers, kiosks and automatic teller machines (ATMs), rather than run of the mill laptops and desktops. It has also generated some interest because it uses a form of memory dump parsing to steal sensitive data from infected POS terminals, and because its POS malware that is part of a botnet – communicating back to a command and control system and receiving commands – that’s quite unusual and, while its kind of insider baseball for malware geeks, it makes Dexter worthy of some extra lab time spent analyzing Dexter.
According to an analysis by Seculert, the custom malware has been circulating in recent months and has infected “hundreds POS systems” including those operated by “big-name retailers, hotels, restaurants and even private parking providers.” The logic here is simple. Dexter isn’t the first POS malware. In fact, more and more malicious programs are ascribing to the Willie Sutton philosophy of online theft: you infect POS systems because “that’s where the money is,” or – at least – the data that you need to get the money. “Instead of going through the trouble of infecting tens of thousands of consumer PCs or physically installing a skimmer,” Seculert writes, “an attacker can achieve the same results by targeting just a few POS systems with specially crafted malware.”
But it turns out that Dexter may not be so new or different. A detailed analysis by Verizon’s RISK team suggests that Dexter has been in active development for some months and may be a creation of a group responsible for the ubiquitous Zeus banking Trojan.
Verizon said that it has identified at least four “Dexter” variants dating back to September, 2012. The last of those appeared in late October and has served as the basis for most of the analysis of the malware. By analyzing the earlier proof-of-concept Dexter variants, Verizon concluded that the IP addresses used for Dexter’s command and control were also used to host Zeus related domains and several domains for Vobfus, also known as “the porn worm,” which has been used to deliver the Zeus malware.
Beyond the revelations that Dexter may be tied up with the Zeus malware, Verizon also produced some tantalizing clues as to the identity of one individual who may be a part of the crew running the malware. Though many of the web domains that serve as command and control nodes for Dexter are privately registered, at least one was not, and Verizon was able to link that to an online handle, “hgfrfv,” used to post a number of suggestive help requests in technical forums (“need help with decrypting a table encrypted with EncryptByKey”…hmm…) as well as shell account on the outsourcing web site freelancer.com, which lists “hgfrfv” as an individual residing in the Russian Federation. The handle is also linked to the e-mail addresses Mark.Jacobs@live.com. Attempts by Security Ledger to contact the e-mail addresses went unanswered.
What does this mean? Everything and nothing. Connections back to Zeus domains aren’t that surprising. That password stealing malware is the punchline to countless online scams and attacks. The links to “Mr. Jacobs” are tantalizing – and could ultimately lead to someone with their hands on Dexter getting dox’d. But even that’s not unusual – Brian Krebs has made a habit of out-ing big time botmasters, and “Mr. Jacobs” almost certainly isn’t that.
So, what is interesting (I think) is that there are links between a novel POS bot and more established, pedestrian online banking malware. That suggests that those behind run of the mill online banking scams – the kind that infect your PC, wait for you to visit Bank of America, then steal your password – are moving into new territory: the vast array of point of sale terminals that collect sensitive financial data from consumers. Stay tuned for more on that trend in the year ahead!
No comments:
Post a Comment