Point-of-sale malware infections on the rise, researchers warn

Researchers from Arbor Networks and IntelCrawler identify new attacks using malware designed for point-of-sale systems

New attack campaigns have infected point-of-sale (PoS) systems around the world with sophisticated malware designed to steal payment card and transaction data.

Researchers from security firm Arbor Networks found two servers that were used to collect data stolen from PoS systems by variants of the Dexter malware and a similar threat called Project Hook.

Dexter and Project Hook are designed to steal Track 1 and Track 2 information written on the magnetic stripes of payment cards when transactions are processed on the infected PoS terminals. Attackers can use this information to clone the cards.

The servers found by Arbor Networks were active at the beginning of November and the data found on them suggests that the Dexter campaign mainly infected systems in Eastern Hemisphere countries. The Project Hook malware infected PoS systems mostly in the U.S. and Europe.

The Arbor Networks researchers identified three separate versions of the Dexter malware, dubbed Stardust, Millenium and Revelation. The first version of Dexter was found in November 2012 by researchers from Israeli security firm Seculert.

The source code for Dexter version 1.0 was leaked, which resulted in increased interest from cybercriminals in PoS malware, according to researchers from IntelCrawler, a Los Angeles-based security intelligence startup firm.

IntelCrawler recently identified a botnet of 31 PoS terminals from restaurants and well-known stores in seven major U.S. cities that were infected with a StarDust variant, said Andrey Komarov, IntelCrawler's CEO, via email.

StarDust, or Dexter version 2, appeared on the underground market in August, according to IntelCrawler. In addition to extracting track data from system memory, the malware can also extract this type of information from internal network traffic, Komarov said.

The StarDust botnet found by IntelCrawler uses two command-and-control servers located in Russia -- in Moscow and Saint Petersburg -- that appear to be controlled by a gang with ties to the infamous Russian Business Network cybercriminal organization. One serves as the main server and the other one as a backup, the IntelCrawler researchers said in an emailed report.

IntelCrawler is monitoring the main server, which is still active, and has alerted law enforcement agencies about it, Komarov said.

"Approximately 20,000 credit cards may have been compromised via this Stardust variation and evidence has been sent to the card associations to determine the points of compromise," said Dan Clements, the president of IntelCrawler, via email.

Read more: Unprecedented spike in DDoS attacks: Arbor Networks

Arbor Networks hasn't identified the exact method used to install malware on PoS systems as part of the attack campaigns it identified.

"However PoS systems suffer from the same security challenges that any other Windows-based deployment does," the Arbor Networks researchers said Wednesday in a blog post. "Network and host-based vulnerabilities (such as default or weak credentials accessible over Remote Desktop and open wireless networks that include a PoS machine), misuse, social engineering and physical access are likely candidates for infection."

In the case of the StarDust campaign, IntelCrawler found malicious code that exploits vulnerabilities in ClearviewPOS, a PoS software program popular in the food service industry.

Dexter version 2 (Stardust) and version 3 (Revolution) can inject code into specific ClearviewPOS processes to monitor its memory, Komarov said.

Smaller businesses are likely an easier target for PoS attacks because of their reduced security, the Arbor Networks researchers said. "While the attackers may receive less card data from smaller retailers, infections may be more numerous and last longer due to the lack of security reporting and security staff in such environments."

The Arbor Networks researchers expect more sophisticated PoS malware threats to be developed and used by cybercriminals in the future. "It is only a matter of time before evolution in tactics takes place, therefore network defenders need to be well prepared to protect PoS and other financially sensitive systems that will continue to be a target for financially motivated threat actors."

Join the PC World newsletter!

Error: Please check your email address.

Tags arbor networksIntelCrawlersecuritydata breachspywaredata protectionmalwarefraud

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?