Skip Links

Dexter malware's source still unknown, connection to Zeus disputed

Point-of-sale malware may have compromised 'tens of thousands' of credit cards

By Taylor Armerding, CSO
December 19, 2012 08:15 AM ET

CSO - The Dexter malware is not a serial killer, like in the Showtime drama of the same name, but it amounts to a serial cyber Grinch, stealing Christmas from possibly tens of thousands of people through making it possible for criminals to clone their credit cards.

15 free security tools you should try

How it attacks, how much damage it has done, where it came from, and whether those behind it are connected to the Zeus malware are still either unknown or matters of debate among analysts.

Seculert, the threat detection firm that discovered and named the custom malware that infects point-of-sale (POS) systems like electronic cash registers, kiosks and automatic teller machines (ATMs) instead of individual end-user devices, has no estimate on how many credit cards have been compromised.

But a blog post on the company's website said Dexter had been in use for the past two to three months and had infected hundreds of POS systems in 40 countries, with 61% of the systems infected in North America and the U.K.

Seculert CTO Aviv Raff said the number of infected systems, belonging to enterprises ranging from major retailers to hotels, restaurants and even private parking providers means that "probably tens of thousands of people" have been victims.

The POS malware is becoming much more popular for online theft for a simple reason: it offers more bucks for the bang. As The Security Ledger put it, "more and more malicious programs are ascribing to the Willie Sutton philosophy of online theft: you infect POS systems because 'that's where the money is,' or -- at least -- the data that you need to get the money."

The Dexter malware is a so-called "memory scraper" that searches for Track 1 and Track 2 data, which includes a cardholder's name, account number, encrypted PIN and other discretionary data -- enough to clone the card and use it to make fraudulent purchases.

Raff said how Dexter gains access to systems is still not known. He said Seculert is "a detection company," and does not do that kind of forensics, although the company partners with others that do.

[See also: Is it really Zeus vs. Anonymous?]

But he said 30% of the infected systems are servers and "it's unusual for servers to get infected using regular methods, mainly because they aren't being used by people to surf the Web."

"There can be many ways," he said. "It could be by attacking other machines on the same network. Or there might be a remote desktop open, and people can try to log in from there."

Roger Thompson, chief emerging threat researcher at ICSA Labs, said there is no way to tell for sure. "It's the computer equivalent of the needle in the haystack," he said. "Even if you're lucky enough to find the needle, there is simply no record of the path it took to get in."

Raff said some of the compromised companies have been notified, but Seculert would not name them publicly. "This is a privacy issue," he said, adding that if end users are concerned that their card may have been compromised, they should contact the vendor.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News