Friday, December 28, 2012

Malware that steals from point-of-sale systems detected

A data stealer designed to collect users' personally identifiable information from point-of-sale (POS) systems has been detected.

Research by Trend Micro said that the malware was found in POS systems at hotels and other businesses. “Currently, the arrival infector remains undetermined,” said Jason Pantig, senior threat response engineer at the Tokyo-based security software company. However, it is unlikely that the malware is downloaded from malicious sites, as the POS systems are typically not used for web browsing.

Point-of-sale terminals are typically where payment for goods and services occur, Pantig said. "Given the wealth of data found on these payment hubs, it's expected that these are the next targets of cyber criminal activities.”

The company's analysis determined that BKDR_DEXTR.A, also known as Dexter, downloads files, sends information and checks memory for information, among other tasks.
“The center piece of the malware is its ability to collect and send certain information to a remote server,” said Pantig. Some of the data that can be stolen from POS systems includes username, hostnames, a key to decrypt the sent information, OS information and a list of running processes, he said.

This data is then presumably duplicated by remote malicious users. "The malware executable is found to be packed or encrypted and when loaded, it loads long garbage code to decrypt the actual code," he said. However, this decryption routine involves only a combination of XOR and ADD instructions, with the use of a hardcoded key. The perpetrators behind Dexter malware probably did this to make analysis difficult, he added.

Trend Micro further said that unlike other spyware, like Zeus and SpyEye, this malware does not directly infect users' systems to gather data, such as payment card details. “Instead, the crooks behind BKDR_DEXTR figured that they can generate the same result by infecting certain POS systems,” Pantig said.

* Thanks to

Wednesday, December 12, 2012

Custom-made malware is infecting POS terminals

A new type of malware aimed at Point-of-Sale (POS) systems has been spotted on machines belonging to big-name retailers, hotels, restaurants, and parking providers located mostly in Northern America and Western Europe.

Dubbed "Dexter" due to a string contained in some of its files, it is still unknown how it infects affected systems.

Seculert researchers shared that over 30 percent of the compromised POS systems use Windows Server editions, which does not point to the usual web-based social engineering or drive-by download infection methods.

According to the researchers, Dexter is custom-made malware that steals the process list from the infected machines, while simultaneously parsing memory dumps of specific POS software related processes in search for Track 1/Track 2 credit card data.

The stolen data is sent to a remote server operated by the criminals, then used to clone credit cards and steal money from the victims' accounts.

"Instead of going through the trouble of infecting tens of thousands of consumer PCs or physically installing a skimmer, an attacker can achieve the same results by targeting just a few POS systems with specially crafted malware," the researchers pointed out the "beauty" of the scheme.

Thanks to Author: Zeljka Zorz, HNS Managing Editor

Wednesday, October 24, 2012

Hackers steal customer data from Barnes & Noble keypads

Hackers broke into keypads at more than 60 Barnes & Noble bookstores and made off with the credit card information for customers who shopped at the stores as recently as last month.
The company discovered the breach on September 14 but kept it quiet while the FBI attempted to track the hackers. Hackers broke into the point-of-sale terminals at 63 stores across the country, including locations in New York City, San Diego, Miami, and Chicago.
Since discovering the breach, the company has uninstalled all 7,000 point-of-sale terminals from its hundreds of stores for examination. Although only one terminal in each of the 63 targeted stores was found to have been compromised, the company has not reinstalled the keypads.
"Customers can make transactions securely today by asking booksellers to swipe their credit and signature debit cards through the card readers connected to cash registers," the company said in a statement.

The company said it is advising customers to change their personal identification numbers and monitor their credit card statements. It also said it was "working with banks, payment card brands and issuers to identify accounts that may have been compromised, so banks and issuers can employ enhanced fraud security measures on potentially impacted accounts."
The company said its customer database is secure and that purchases made on, Nook, and Nook apps were unaffected.
The practice of credit card skimming has become more frequent in recent years. Last month, two Romanian men pled guilty to hacking point-of-sale terminals at hundreds of Subway sandwich stores in the U.S. to steal credit card data from more than 146,000 accounts. 

by Steven Musil
Thanks to