Subscribe

Dexter malware returns with a vengeance

Johannesburg, 16 Oct 2013
A unique variant of so-called Dexter malware managed to infiltrate local POS systems - and go unnoticed for months while defrauding South Africans.
A unique variant of so-called Dexter malware managed to infiltrate local POS systems - and go unnoticed for months while defrauding South Africans.

SA's banks have been hit hard by what has been described as a sophisticated remote cyber attack, which has seen tens of millions of rands being fleeced from their clients.

The Payment Association of SA (PASA) yesterday confirmed the notorious Dexter malware, discovered last year, has reared its malicious head again - but with much greater force - in SA.

The malware - apparently loaded via the Internet onto servers countrywide - infected thousands of point of sales (POS) systems of some of SA's biggest fast food chains and restaurants, and has been skimming card information since earlier this year.

PASA CEO Walter Volker says the latest attack was the product of a "unique variant" of the Dexter virus that, in December last year, hit global retail chains like restaurants, retailers and hotels. "It is similar to the virus [that did the rounds] last year - but more widespread."

Late find

He says the malware - which takes its name from a text string found in one of its files - could not be picked up by systems' normal anti-virus (AV) software. This, coupled with the malware's unique nature, says Volker, meant the fraud was detected very late - allowing cyber fraudsters to thieve millions over the course of the year.

"While [the malware attack] was limited in extent, it took us a while to identify and resolve - so the financial damage to banks is probably in the tens of millions. We started picking up unusual levels of fraud early in the year. Initially, you think it is normal fraud, but in time realise something bigger is going on."

Volker says as procedure dictates, an incident response committee was set up and a forensics investigation company appointed. Once it was finally discovered, he says, it was fairly straight-forward to develop anti-malware software and deploy it at sites suspected as being targets.

"As we speak, we think all the sites we were aware of [having been attacked] are now clean. While it is difficult to say where the cyber criminals operated from, we found the source of the breach - an Internet back door. They are very good at hiding their tracks and this was definitely a very sophisticated attack. No Tom, Dick or Harry could have carried this off. What we do know is that it was not a local group."

While SA was targeted specifically in the latest attack, Volker says the malware was installed from an unknown international location. "They could be anywhere in the world."

He says PASA reported the incident to Interpol, Europol and the SA Police Service. "The issue is being dealt with by the SA Banking Risk Identification Centre. All [the relevant] law enforcement agencies are involved in getting to the bottom of this."

The attack was limited to magstrip credit cards and signature-based debit cards and no online transactions were made, or chip cards compromised. Volker says the cards produced from the malware have been sold and used in both Europe and the US.

Vulnerable machinery

In deciphering the latest local fraud headache, security experts have looked to POS technology and its related vulnerabilities.

Gavin Heatherington, group MD of Neworder Industries, says POS systems are "extremely vulnerable" - and to many different forms of attack.

He says it is the configuration of POS boxes that is often the issue. "POS [boxes] are built with functionality in mind, and not security. There is a huge lack of password security, especially on the admin domain."

Heatherington notes the issue has been around for a while now. "In 2012, the malware (dubbed Dexter) text string came out and attacked restaurants, hotels and parking lots via POS. Even petrol stations were vulnerable."

He says the malware text string is more advanced than the usual "crash and dump" code, and appears to have been written purely in C++. "The malware adds itself to the system registry so that it will automatically run whenever the system boots up. The malware's payload program lists all the processes running on the system and then searches memory for personal data, for example financial."

Chris Larsen, malware lab architect at Blue Coat Systems, says while it is possible for POS systems to be hit by a physical-access attack (for example, by tampering with the credit/debit card reader or sticking a malware-laden USB driver into the POS box while the cashier is distracted or away) - the biggest security hole heard about is that the POS terminal (typically a Windows desktop or laptop) is used by the employees for Web surfing and personal e-mail.

POS protection

Larsen notes this security hole can be narrowed considerably - if not closed entirely - by merchants taking certain precautionary and policy-enforcement measures. He suggests companies should:

* Adopt a "no Web surfing on the POS computer" policy;
* Keep the computer patched - including the operating system (OS), browser, Java, Flash and (the "big 5" exploit vectors) - and the POS software itself;
* Remove all non-essential software (aside from the OS and POS software);
* Run AV software on the computer; and
* Sign up for a cloud-based security service that will provide filtering of malicious Web sites, and AV scanning of downloads.

Larsen notes that, in the last instance, the service will provide reporting on traffic, such as botnet or other destinations that the POS machine should not be surfing to.

Heatherington suggests similar steps for merchants looking to avoid the inevitable POS cyber attack:

* Install perimeter firewalls, to negate the need to run firewalling on each PC;
* Acquire disk imaging technology that brings a PC back to its known state after a reboot;
* Disable all external storage devices being connected to machines;
* Disable Internet access for retail machines where it is not needed;
* Switchport security on Ethernet switches to stop people connecting rogue network devices/hotspots; and
* Store company data centrally so there no need to remotely access POS terminals.

No need for concern

Despite the seemingly alarming implications and reach of the latest attack on local food outlets, Volker says cardholders need not be concerned. However, he appeals to cardholders to report any suspicious transactions they may pick up to their banks "for urgent investigation".

Together with PASA, international card houses Visa and MasterCard, as well as SA's major banks, have confirmed they are aware of the data compromise to their food chain customers. They have assured consumers that immediate steps have been taken to secure the relevant systems and prevent further leakage of card details.

Volker notes the payments association is working with the banks and card schemes to implement immediate measures to not only block potential card data exposure - but also to bring merchants to a state of full compliance in terms of the Payment Card Industry Data Security Standards (PCI DSS).

He says SA's banks will bear the brunt of any financial loss suffered - while consumers have the benefit of recourse. "Should fraudulent transactions be perpetrated on any of these cards as a result of the data compromise, cardholders would not be exposed to any losses - as is the case under normal circumstances."

Volker confirmed the issuing bank, however, does have the right to charge back to the acquiring bank if it believes it to have been lacking in security measures. In turn, the acquiring bank could look to take on certain retailers in the event of a lack of PCI DSS compliance.

"It is left to individual banks and card issuers to decide whether they would be contacting their customers with a view to replacing any cards that might have been exposed, or rather to place these cards on a heightened level of monitoring before any action is taken."

Share