Researchers uncover Point-of-Sale botnet
Posted on 05.12.2013


Researchers from Arbor Networks have spotted an active Point of Sale (PoS) compromise campaign using the Dexter malware or variants of it, aimed at stealing credit and debit card data.

“The exact method of compromise is not currently known, however PoS systems suffer from the same security challenges that any other Windows-based deployment does. Network and host-based vulnerabilities (such as default or weak credentials accessible over Remote Desktop and open wireless networks that include a PoS machine), misuse, social engineering and physical access are likely candidates for infection,” they explained in a recently released report.

The compromised devices are located across the globe, but currently the campaign seems more widespread in the Middle East, India, Myanmar, Malaysia and Indonesia.

At the same time, researchers from US-based IntelCrawler have discovered one of the first botnets out there that target PoS terminals. By sneaking into one of the botnet’s C&C servers, they discovered that the botnet is still up and running, that it has been around for at least half a year, and that it managed to capture information about over 20,000 credit and debit cards since August.

The malware used to rope the PoS terminals into the botnet is Stardust, a newer and more effective variant of Dexter.

It is able to collect Track1 and Track2 card data, sensitive data store on the devices, and send them (in encrypted form) to remote servers. According to information the researchers shared with Ars Technica, the malware transmits this data only when no one is working with the PoS terminal (the screensaver must be on).

By analyzing the control server, the researchers have discovered that most of the bots are located on devices deployed in US-based retailers and restaurants. Through the interface, the botmasters are able to issue commands to each bot and to observe the machine’s activity.

The server itself and its backup system are located in Moscow and Saint Petersburg, and IntelCrawler CEO Andrey Komarov says that the criminals behind the scheme are a part of the cyber gang dubbed SharkMoney.CC.

Once again, it is unknown how the PoS devices have been infected with the malware in the first place.










Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //