Experts from the Israeli company Seculert, which is responsible for IT security, reported the discovery of an unusual virus, which in recent months has infected POS terminals in 40 countries.
While infecting the virus, called on the line in some components of the virus, steals cardholder data passing through the affected terminal. According to experts, now has stolen data on tens of thousands of credit and debit cards.
The virus infects Dexter POS running of Windows, stores large retailers, as well as hotels, restaurants and even in offices of private car parks. Dexter the first samples of the virus were found in studies of other threats. When experts analyzed the virus, they were able to gain access to the management server, which is located in the Seychelles. It is on this server passed the stolen data on bank cards.
In addition to information on payment cards, the virus sends Dexter to the management server list of processes running on the affected system. After receiving the list, cybercriminals verify compliance processes to a particular set of programs for the POS. If any of the processes corresponding to a specific software, the hosts of the virus cause the virus to capture memory and transmit the image to the management server.
The photographs are the memory test with a special tool, running on the management server. This utility extracts the image completely unencrypted data on payment cards buyers, including codes “Track 1” and “Track 2.” This information is usually stored in the magnetic stripe and can be used to clone cards.
Since the attack Dexter is still continuing in the active phase, the researchers is difficult to determine the exact number of infected POS. However, at the moment is the amount estimated to be about 200-300 cars. The total number of compromised cards is also difficult to estimate, but the last few weeks have been stolen data on the ten thousand or so cards.
Statistically, which experts of Seculert took from the server of management of a virus, about 30% of the infected PoS-terminals are located in the USA, 19% – in Great Britain and another 9% in Canada. Besides, the organizations from Russia, the Netherlands, Spain, the Republic of South Africa, Italy, France, Poland, Brazil, Turkey and some other the countries suffered. Thus, attack gains really global character.
Location of the cybercriminals, run a virus Dexter, has not been determined precisely. At the same time, some parts of code, according to Seculert, indicate that the authors are fluent in English. Usually virus writers use words from their native language, especially when creating such abnormal viruses like Dexter. Incidentally, the company Seculert results statistics on shares of operating systems on infected PoS-terminal: a little more than 50% running Windows XP, 17% – running Windows Home Server, 9% – Windows Server 2003 and another 7% – Windows 7.