Point-of-sale malware infections on the rise, researchers warn

Researchers from Arbor Networks and IntelCrawler identify new attacks using malware designed for point-of-sale systems

New attack campaigns have infected point-of-sale (PoS) systems around the world with sophisticated malware designed to steal payment card and transaction data.

Researchers from security firm Arbor Networks found two servers that were used to collect data stolen from PoS systems by variants of the Dexter malware and a similar threat called Project Hook.

Dexter and Project Hook are designed to steal Track 1 and Track 2 information written on the magnetic stripes of payment cards when transactions are processed on the infected PoS terminals. Attackers can use this information to clone the cards.

The servers found by Arbor Networks were active at the beginning of November and the data found on them suggests that the Dexter campaign mainly infected systems in Eastern Hemisphere countries. The Project Hook malware infected PoS systems mostly in the U.S. and Europe.

The Arbor Networks researchers identified three separate versions of the Dexter malware, dubbed Stardust, Millenium and Revelation. The first version of Dexter was found in November 2012 by researchers from Israeli security firm Seculert.

The source code for Dexter version 1.0 was leaked, which resulted in increased interest from cybercriminals in PoS malware, according to researchers from IntelCrawler, a Los Angeles-based security intelligence startup firm.

IntelCrawler recently identified a botnet of 31 PoS terminals from restaurants and well-known stores in seven major U.S. cities that were infected with a StarDust variant, said Andrey Komarov, IntelCrawler's CEO, via email.

StarDust, or Dexter version 2, appeared on the underground market in August, according to IntelCrawler. In addition to extracting track data from system memory, the malware can also extract this type of information from internal network traffic, Komarov said.

The StarDust botnet found by IntelCrawler uses two command-and-control servers located in Russia -- in Moscow and Saint Petersburg -- that appear to be controlled by a gang with ties to the infamous Russian Business Network cybercriminal organization. One serves as the main server and the other one as a backup, the IntelCrawler researchers said in an emailed report.

IntelCrawler is monitoring the main server, which is still active, and has alerted law enforcement agencies about it, Komarov said.

"Approximately 20,000 credit cards may have been compromised via this Stardust variation and evidence has been sent to the card associations to determine the points of compromise," said Dan Clements, the president of IntelCrawler, via email.

Read more: Unprecedented spike in DDoS attacks: Arbor Networks

Arbor Networks hasn't identified the exact method used to install malware on PoS systems as part of the attack campaigns it identified.

"However PoS systems suffer from the same security challenges that any other Windows-based deployment does," the Arbor Networks researchers said Wednesday in a blog post. "Network and host-based vulnerabilities (such as default or weak credentials accessible over Remote Desktop and open wireless networks that include a PoS machine), misuse, social engineering and physical access are likely candidates for infection."

In the case of the StarDust campaign, IntelCrawler found malicious code that exploits vulnerabilities in ClearviewPOS, a PoS software program popular in the food service industry.

Dexter version 2 (Stardust) and version 3 (Revolution) can inject code into specific ClearviewPOS processes to monitor its memory, Komarov said.

Smaller businesses are likely an easier target for PoS attacks because of their reduced security, the Arbor Networks researchers said. "While the attackers may receive less card data from smaller retailers, infections may be more numerous and last longer due to the lack of security reporting and security staff in such environments."

The Arbor Networks researchers expect more sophisticated PoS malware threats to be developed and used by cybercriminals in the future. "It is only a matter of time before evolution in tactics takes place, therefore network defenders need to be well prepared to protect PoS and other financially sensitive systems that will continue to be a target for financially motivated threat actors."

Join the CSO newsletter!

Error: Please check your email address.

Tags arbor networksIntelCrawlersecuritydata breachspywaredata protectionmalwarefraud

More about Arbor NetworksArbor Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts