POS users: A new attack has been discovered

 
Jan. 9, 2013 | by Brad Cyprus

During the Christmas holidays, families across America were anxiously awaiting the day of merriment and joy when they could rip open their presents, spend time with family, and watch football on the couch while recovering from a feast fit for a king. Computer hackers were looking forward to the holidays as well. They were busy creating a little piece of code called “Dexter” that is capable of stealing data from point-of-sale (POS) systems, and it has been stealing credit cards this holiday season.

While Dexter is not the first custom created code designed to attack POS systems directly, it has been one of the most successful ones in recent history with potentially 200-300 retailers (no telling how many individual locations this includes) affected by it, according to an article published by Dark Reading last month. The article credits the security firm Seculert for first detecting and publishing information about Dexter on its website. A link to their findings can be found here.

So is this just an interesting technological achievement that has no real impact on retailers, or is it something that you should be concerned about if you run a POS system? Well, as someone who spends almost all his time helping people manage and maintain good security I would suggest that this threat should be treated as a real issue. I am not alone either. Credit card processor, First Data, and credit card company, Visa, agree with me on this one as well.

On December 24th, First Data issued a warning to several merchants about Dexter claiming that Visa has received several reports of POS systems being compromised by the malware. The good thing about this notification is that it not only describes the problem, but it includes steps a merchant can take to see if they have been compromised. The warning includes the following URLs and IP addresses that should alert you that your system might have been compromised (we have identified potentially 2 more IP addresses and we are including those below as well):

  • 11e2540739d7fbea1ab8f9aa7a107648.com
  • 7186343a80c6fa32811804d23765cda4.com
  • e7dce8e4671f8f03a040d08bb08ec07a.com
  • e7bc2d0fceee1bdfd691a80c783173b4.com
  • 815ad1c058df1b7ba9c0998e2aa8a7b4.com
  • 67b3dba8bc6778101892eb77249db32e.com
  • fabcaa97871555b68aa095335975e613.com
  • 50.116.41.199 (added by VendorSafe)
  • 173.255.196.136
  • 176.31.62.77
  • 176.31.62.78 (added by VendorSafe)

If any of your systems are sending data to these addresses, you should be concerned. At the very least, if you are reading this posting, and you do not know how to determine if you have been compromised, seek professional guidance. Your anti-virus software will probably not be an effective tool against this particular malware because it will take time for the virus signatures to be updated to detect it. This is not something that you should ignore. If you do not feel up to the task of detecting the presence of the malware yourself, contact your IT resource to assist you, or engage with a firm that can.

Have a safe and happy New Year.


Topics: Payments , PCI Compliance , POS , Security , Technology


Brad Cyprus / Bradley K. Cyprus has more than 20 years experience in the security industry. He manages the development of in-house solutions to validate compliance, and he is a resource that Vendor Safe customers can rely upon to help interpret the PCI standard.
www View Brad Cyprus's profile on LinkedIn

Related Content


Latest Content


comments powered by Disqus

 

TRENDING

 

WHITE PAPERS