Researchers from Arbor Networks have spotted an active Point of Sale (PoS) compromise campaign using the Dexter malware or variants of it, aimed at stealing credit and debit card data.
“The exact method of compromise is not currently known, however PoS systems suffer from the same security challenges that any other Windows-based deployment does. Network and host-based vulnerabilities (such as default or weak credentials accessible over Remote Desktop and open wireless networks that include a PoS machine), misuse, social engineering and physical access are likely candidates for infection,” they explained in a recently released report.
The compromised devices are located across the globe, but currently the campaign seems more widespread in the Middle East, India, Myanmar, Malaysia and Indonesia.
At the same time, researchers from US-based IntelCrawler have discovered one of the first botnets out there that target PoS terminals. By sneaking into one of the botnet’s C&C servers, they discovered that the botnet is still up and running, that it has been around for at least half a year, and that it managed to capture information about over 20,000 credit and debit cards since August.
The malware used to rope the PoS terminals into the botnet is Stardust, a newer and more effective variant of Dexter.
It is able to collect Track1 and Track2 card data, sensitive data store on the devices, and send them (in encrypted form) to remote servers. According to information the researchers shared with Ars Technica, the malware transmits this data only when no one is working with the PoS terminal (the screensaver must be on).
By analyzing the control server, the researchers have discovered that most of the bots are located on devices deployed in US-based retailers and restaurants. Through the interface, the botmasters are able to issue commands to each bot and to observe the machine’s activity.
The server itself and its backup system are located in Moscow and Saint Petersburg, and IntelCrawler CEO Andrey Komarov says that the criminals behind the scheme are a part of the cyber gang dubbed SharkMoney.CC.
Once again, it is unknown how the PoS devices have been infected with the malware in the first place.