Categories Category List Apple Cloud Security Compliance Critical Infrastructure Cryptography Government Category List Hacks Malware Microsoft Mobile Security Privacy Category List SMB Security Social Engineering Virtualization Vulnerabilities Web Security sons of anarchy Authors sons of anarchy Dennis Fisher Michael Mimoso Christopher Brook Brian Donohue Anne Saita Additional Categories Slideshows The Kaspersky Lab News Service Featured Authors Dennis Fisher Michael Mimoso Christopher Brook Brian Donohue Anne Saita Guest Posts The Kaspersky Lab News Service
Recommended How I Got Here: Jeremiah Grossman Chris Soghoian on the NSA Surveillance and Government Hacking Adrian Stone on BlackBerry Security, Privacy and the Challenges of BYOD Anup Ghosh on Cyberespionage, Attribution and APTs
The pesky Dexter point-of-sale malware, discovered more than a year ago, remains active primarily in Russia, the Middle East and Southeast Asia, while its cousin Project Hook is finding similar success in the United States, prompting experts to sound an alarm as holiday commerce ramps up.
Dexter and Project Hook differ from more traditional point-of-sale attacks which rely on skimmers physically installed on endpoints, or phishing emails luring users on Windows machines hosting the PoS software. Instead, sons of anarchy the malware is injected into files hosted on Windows servers before scraping credit card numbers as they re entered via the PoS system.
Arbor Networks senior research analyst Curt Wilson said the two new Dexter servers were found in November; law enforcement as well as the Financial Services Information Sharing sons of anarchy and Analysis Center (FS-ISAC) were informed. Wilson said during a two-week period when Arbor researchers were monitoring activity on the servers, they saw 533 infected endpoints call back to the command and control infrastructure.
The way the attackers had the server set up, we saw credit card data posted to the site, Wilson said. The attackers were clearing the log files periodically, so there s no telling how long these campaigns have been ongoing. sons of anarchy
Arbor identified three versions of Dexter: Stardust, which is likely the original version; Millenium; and Revelation. Revelation is likely the latest sons of anarchy version and it is capable of moving stolen data not only over HTTP as previous versions, but also over FTP, a first for POS malware, Wilson said. Wilson added that Arbor researchers have not been able to determine how the initial infections are happening. The two command servers, he said, are no longer online.
Dexter was discovered more than a year ago and reported by researchers at Seculert, who reported at the time that campaigns were claiming victims at big retail operations, hotels and restaurants. At the time there were victims in 40 countries, most of those in the U.S. and the United sons of anarchy Kingdom.
Dexter is stealing the process sons of anarchy list from the infected machine, while parsing memory dumps of specific sons of anarchy POS software related processes, looking for Track 1 / Track 2 credit card data, Seculert CTO Aviv Raff wrote in a blogpost last December. This data will most likely be used by cybercriminals sons of anarchy to clone credit cards that were used in the targeted POS system.
Point-of-sale systems present hackers with a target-rich sons of anarchy environment. The systems are often reachable online and are usually guarded with default or weak passwords that are child s play for a brute force or dictionary attack. The last two Verizon Data Breach Investigations Reports have identified small retailers and hospitality providers as the primary victims in such opportunistic attacks because of limited security resources.
The data being exfiltrated sons of anarchy that we ve seen suggests that the compromised machines are doubling up functions and running point of sale on a machine doing something else. PoS machines should be dedicated, locked down and have special policies applied to it, Wilson said. That s a bad practice to pile so much on one system. An attacker with access to credit card data would also have access to anything else the management system has access too.
Wilson said that the initial infections could be happening either via phishing emails luring victims to sites hosting Dexter or Project Hook, or the attackers are taking advantage of default credentials to access these systems sons of anarchy remotely.
With the holidays, there s going to be more PoS activity and a higher volume of transactions. Now would be a good time to fortify security, Wilson said. The basics should cover this. There are IDS signatures written for this malware, and there are indicators of compromise floating around; basic antimalware should catch the process-injection techniques used here.
Meanwhile, Ars Technica reported today the discovery of the first botnet targeting point-of-sale systems . A Los Angeles security sons of anarchy company called IntelCrawler found the botnet which had infected close to 150 Subway sandwich shops stealing 146,000 credit card numbers. Latest Tweet
No comments:
Post a Comment