Malware that steals from point-of-sale systems detected

A data stealer designed to collect users' personally identifiable information from point-of-sale (POS) systems has been detected.

Research by Trend Micro said that the malware was found in POS systems at hotels and other businesses. “Currently, the arrival infector remains undetermined,” said Jason Pantig, senior threat response engineer at the Tokyo-based security software company. However, it is unlikely that the malware is downloaded from malicious sites, as the POS systems are typically not used for web browsing.

Point-of-sale terminals are typically where payment for goods and services occur, Pantig said. "Given the wealth of data found on these payment hubs, it's expected that these are the next targets of cyber criminal activities.”

The company's analysis determined that BKDR_DEXTR.A, also known as Dexter, downloads files, sends information and checks memory for information, among other tasks.
“The center piece of the malware is its ability to collect and send certain information to a remote server,” said Pantig. Some of the data that can be stolen from POS systems includes username, hostnames, a key to decrypt the sent information, OS information and a list of running processes, he said.

This data is then presumably duplicated by remote malicious users. "The malware executable is found to be packed or encrypted and when loaded, it loads long garbage code to decrypt the actual code," he said. However, this decryption routine involves only a combination of XOR and ADD instructions, with the use of a hardcoded key. The perpetrators behind Dexter malware probably did this to make analysis difficult, he added.

Trend Micro further said that unlike other spyware, like Zeus and SpyEye, this malware does not directly infect users' systems to gather data, such as payment card details. “Instead, the crooks behind BKDR_DEXTR figured that they can generate the same result by infecting certain POS systems,” Pantig said.

* Thanks to scmagazine.com

Custom-made malware is infecting POS terminals

A new type of malware aimed at Point-of-Sale (POS) systems has been spotted on machines belonging to big-name retailers, hotels, restaurants, and parking providers located mostly in Northern America and Western Europe.


Dubbed "Dexter" due to a string contained in some of its files, it is still unknown how it infects affected systems.

Seculert researchers shared that over 30 percent of the compromised POS systems use Windows Server editions, which does not point to the usual web-based social engineering or drive-by download infection methods.

According to the researchers, Dexter is custom-made malware that steals the process list from the infected machines, while simultaneously parsing memory dumps of specific POS software related processes in search for Track 1/Track 2 credit card data.

The stolen data is sent to a remote server operated by the criminals, then used to clone credit cards and steal money from the victims' accounts.

"Instead of going through the trouble of infecting tens of thousands of consumer PCs or physically installing a skimmer, an attacker can achieve the same results by targeting just a few POS systems with specially crafted malware," the researchers pointed out the "beauty" of the scheme.


Thanks to Author: Zeljka Zorz, HNS Managing Editor

Hackers steal customer data from Barnes & Noble keypads

Hackers broke into keypads at more than 60 Barnes & Noble bookstores and made off with the credit card information for customers who shopped at the stores as recently as last month.
The company discovered the breach on September 14 but kept it quiet while the FBI attempted to track the hackers. Hackers broke into the point-of-sale terminals at 63 stores across the country, including locations in New York City, San Diego, Miami, and Chicago.
Since discovering the breach, the company has uninstalled all 7,000 point-of-sale terminals from its hundreds of stores for examination. Although only one terminal in each of the 63 targeted stores was found to have been compromised, the company has not reinstalled the keypads.
"Customers can make transactions securely today by asking booksellers to swipe their credit and signature debit cards through the card readers connected to cash registers," the company said in a statement.

The company said it is advising customers to change their personal identification numbers and monitor their credit card statements. It also said it was "working with banks, payment card brands and issuers to identify accounts that may have been compromised, so banks and issuers can employ enhanced fraud security measures on potentially impacted accounts."
The company said its customer database is secure and that purchases made on BarnesandNoble.com, Nook, and Nook apps were unaffected.
The practice of credit card skimming has become more frequent in recent years. Last month, two Romanian men pled guilty to hacking point-of-sale terminals at hundreds of Subway sandwich stores in the U.S. to steal credit card data from more than 146,000 accounts. 

by Steven Musil

Thanks to http://news.cnet.com 

POS Hackers Sentenced for Multi-Million Dollar Payment Card Data Theft

Two Romanian nationals have plead guilty for participating in an international, multimillion-dollar scheme to remotely hack into and steal payment card data from hundreds of U.S. merchants’ computers, including a great number of Subway restaurants. Federal prosecutors noted that the conspiracies involved more than 146,000 compromised cards and more than $10 million in losses.

Iulian Dolan and Cezar Butu agreed to serve seven year and 21 month prison sentences respectively. Dolan, 28, of Craiova, Romania, pleaded guilty to one count of conspiracy to commit computer fraud and two counts of conspiracy to commit access device fraud, while Butu, 27, of Ploiesti, Romania, pleaded guilty to one count of conspiracy to commit access device fraud. A third co-conspirator, Adrian-Tiberiu Oprea, is currently awaiting trial in New Hampshire. The defendants admitted in their guilty pleas, that during a period roughly from in or about 2009-2011, they participated in Romanian-based conspiracies, to hack into hundreds of U.S.-based computers to steal credit, debit and payment account numbers and associated data. They then used the stolen payment card data to make unauthorized charges on, and/or transfers of funds from, those accounts (or alternatively to transfer the stolen payment card data to other co-conspirators who would do the same).       

The official judgment is a warning signal to all operators concerning POS security and describes how the hackers carried out the scheme. According to the official judgement, Dolan admitted that he, along with Oprea, remotely hacked into U.S. merchants’ point of sale (POS) where customers’ payment card data was electronically stored.

“Specifically, Dolan first remotely scanned the internet to identify U.S.-based vulnerable POS systems with certain remote desktop software applications (RDAs) installed on them. Using these RDAs, Dolan logged onto the targeted POS systems over the internet. These were typically password-protected, so Dolan would attempt to crack the passwords, where necessary, to gain administrative access. He would then remotely install software programs called ‘keystroke loggers’ (or ‘sniffers’) onto the POS systems. These programs would record, and then store, all of the data that was keyed into or swiped through the merchants’ POS systems, including customers’ payment card data.”

               

The co-conspirators hacked into several hundred U.S. merchants’ POS systems. It was reported that Dolan stole payment card data belonging to approximately 6,000 cardholders and was aware that Oprea was engaged in similar conduct. Dolan would periodically remotely hack back into the compromised merchants’ POS system to retrieve the card data that he would transfer to electronic “dump sites,” where the data would then be used to make unauthorized chargers and transfers or sold to other conspirators.

“The Subway case is a clear indication that privileged and administrative accounts are increasingly targeted and used by criminals to steal sensitive information,” says Adam Bosnian, vice president of products, strategy and sales at Cyber-Ark Software www.cyber-ark.com.  “In this case, the attackers were able to simply do an Internet search for remote desktop applications that were used by the restaurants, and through simple password cracking techniques, they were able to gain administrative access to the systems.  This enabled them to easily steal sensitive financial information from unsuspecting customers.”

Bosnian contends that often sensitive accounts are protected by passwords that are too simple or default passwords that are rarely changed. This case is a warning to operators utilizing POS systems to shore up their security by taking steps to make their accounts more difficult to breach and therefore less attractive to hackers.

“These privileged and administrative accounts act as a gateway to any organization’s most sensitive information, which is why they’ve emerged as the primary target for attackers,” Bosnian continues, “The reality is that anyone with an Internet connection can search for, identify and target  remote applications that businesses rely on – the problem facing the industry is that there is not sufficient security and protection around the entry points to these applications. Once inside, attackers have free reign on the network. If you examine the list of the recent, high-profile data breaches that have plagued organizations, including Global Payments, the U.S. Chamber of Commerce, the Utah healthcare breach, etc…, the common denominator is that the attackers focused on gaining access to the privileged or administrative accounts.” 

- Thanks to HT