Curt Wilson, Arbor Security Engineering Response Team (ASERT) : Happy Holidays, Point of Sale Malware Campaigns Targeting Credit and Debit Cards
December 2013 by Curt Wilson, Senior Research Analyst with Arbor Networks in the Arbor Security Engineering Response Team (ASERT)
An active Point of Sale (PoS) compromise campaign designed to steal credit and debit card data using the Dexter and Project Hook malware has been detected. Indicators of compromise will be provided for mitigation and detection purposes. Prior to the publication of this Threat Intelligence document (embedded at the end of this post), members of the FS-ISAC, major Credit Card vendors and law enforcement were notified.
Inside Recent Point-of-Sale Malware Campaign Activities
Curt Wilson, Dave Loftus, Matt Bing
It appears that there are at least three distinct versions of Dexter:
1. Stardust (looks to be an older version, perhaps version 1)
2. Millenium (note spelling)
3. Revelation (two observed malware samples; has the capability to use FTP to exfiltrate data)
In early November 2013, ASERT researchers discovered two servers hosting Dexter and other POS malware to include Project Hook. The Dexter campaign looks more active, especially in the Eastern Hemisphere and therefore shall be the main focus herein. Dexter, first documented by Seculert in December 2012, is a Windows-based malware used to steal credit card data from PoS systems. The exact method of compromise is not currently known, however PoS systems suffer from the same security challenges that any other Windows-based deployment does. Network and host-based vulnerabilities (such as default or weak credentials accessible over Remote Desktop and open wireless networks that include a PoS machine), misuse, social engineering and physical access are likely candidates for infection. Additionally, potential brittleness and obvious criticality of PoS systems may be a factor in the reportedly slow patch deployment process on PoS machines, which increases risk. Smaller businesses are likely an easier target due to reduced security. While the attackers may receive less card data from smaller retailers, infections may be more numerous and last longer due to the lack of security reporting and security staff in such environments.
Figure 1: Dexter (Purple) and Project Hook (Orange) infections in the Eastern Hemisphere
Figure 2: Dexter (Purple) and Project Hook (Orange) infections in the western hemisphere
For the full document to include a list of various compromise indicators and information about the back-end infrastructure, please download the full public report -