The Dexter malware that appeared a while back in South Africa is now infecting point-of-sale systems around the globe through variants such as Project Hook. Overall, POS system malware is on the rise, underscoring the new risks that retailers face in protecting customer data from cybercriminals.
New Dexter malware campaigns show up around the world
Dexter is a Windows-based malware strain that steals payment card information and relays it to cybercriminals. While most POS malware is installed directly on an endpoint or requires a user to download it via a phishing email, Dexter instead resides within server-hosted files associated with the POS and steals data as it is entered. It isn’t clear how Dexter initially infects a machine, but once they are compromised, they begin communicating with command-and-control servers.
There are three basic versions of Dexter, called Stardust, Millennium and Revelation. The latter is the most recent instance and is capable of moving files over file transfer protocol in addition to HTTP, adding a new twist to POS malware tactics. However, the exploitation of FTP may imply that recent Dexter campaigns have been relatively small in scope.
Why does Dexter specifically target POS systems? In addition to processing high-value payment card information, they are also often poorly secured. Some POS infrastructure lacks dedicated servers and instead runs all payment processes through machines that are handling other operations at the same time.
This practice creates new security risks, since it puts undue strain on machines and concentrates too much sensitive data in one location. On top of that, many POS systems are secured only with weak or default passwords and can be accessed over the Internet.
In this sense, malware like Dexter is opportunistic and takes advantage of retailers and other organizations that may have overlooked IT security vulnerabilities. A study from last year found that keyloggers, backdoor access and password attacks were among the leading entry points for data breaches at healthcare organizations, many of which came through exploitation of a POS system.
A larger issue may be that many organizations outsource POS infrastructure management to third parties, an arrangement that naturally results in remote access and administrator privileges being enabled on endpoints. An attacker can take advantage of these features if they aren’t properly locked down.
Retailers and healthcare organizations face challenges in securing their POS systems, but they can stay on top of things with restore on reboot software. If a configuration seems off or an endpoint becomes infected with malware, administrators can simply reboot the affected machines and restore them to a safe disk state. At the same time, IT departments can protect workstations from unauthorized access and implement one-time passwords, lowering overall risk.