Researchers uncover Point-of-Sale botnet
Posted on 05.12.2013

Researchers from Arbor Networks have spotted an active Point of Sale (PoS) compromise campaign using the Dexter malware or variants of it, aimed at stealing credit and debit card data.

“The exact method of compromise is not currently known, however PoS systems suffer from the same security challenges that any other Windows-based deployment does. Network and host-based vulnerabilities (such as default or weak credentials accessible over Remote Desktop and open wireless networks that include a PoS machine), misuse, social engineering and physical access are likely candidates for infection,” they explained in a recently released report.

The compromised devices are located across the globe, but currently the campaign seems more widespread in the Middle East, India, Myanmar, Malaysia and Indonesia.

At the same time, researchers from US-based IntelCrawler have discovered one of the first botnets out there that target PoS terminals. By sneaking into one of the botnet’s C&C servers, they discovered that the botnet is still up and running, that it has been around for at least half a year, and that it managed to capture information about over 20,000 credit and debit cards since August.

The malware used to rope the PoS terminals into the botnet is Stardust, a newer and more effective variant of Dexter.

It is able to collect Track1 and Track2 card data, sensitive data store on the devices, and send them (in encrypted form) to remote servers. According to information the researchers shared with Ars Technica, the malware transmits this data only when no one is working with the PoS terminal (the screensaver must be on).

By analyzing the control server, the researchers have discovered that most of the bots are located on devices deployed in US-based retailers and restaurants. Through the interface, the botmasters are able to issue commands to each bot and to observe the machine’s activity.

The server itself and its backup system are located in Moscow and Saint Petersburg, and IntelCrawler CEO Andrey Komarov says that the criminals behind the scheme are a part of the cyber gang dubbed SharkMoney.CC.

Once again, it is unknown how the PoS devices have been infected with the malware in the first place.


10 practical security tips for DevOps

By working with the DevOps team, you can ensure that the production environment is more predictable, auditable and more secure than before. The key is to integrate your security requirements into the DevOps pipeline.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Mar 31st