“DEXTER MALWARE” A new threat in Kenya banking sector

Even though the malware was discovered in December 2012 (Visa Security Alert, 2012), Dexter is causing havoc for bank and point of sale terminals in South Africa, “Secure Data Africa chief technology officer Wayne Olsen says consumers should still be concerned as it is a “well-known fact” that over the festive season there is a marked increase in malware and virus attacks by criminals seeking financial gain.

South Africa’s banks suffered tens of millions of rand worth in losses due to a major breach of customer card data by criminal syndicates that infected electronic point-of-sale (POS) terminals using a variant of the Trojan horse malicious software called Dexter (techcentral.co.za, 5 November 2013).

Dexter is intended to steal payment card information from POS systems (track data from magnetic stripes) by utilizing of a Command and Control (C&C) communication channel for data exfiltration.

This should raise a red flag for system and network administrators; they should take caution and ensure that there are mechanisms in advance to detect the malware and report mechanisms.

This is because Kenya shares a lot in common with South Africa in banking industry therefore this should send an alert to the local banks to raise the security level to ensure that the malware does not infect their POS infrastructure.

What is ‘Dexter Malware?

It is a computer virus which infects computers running Microsoft Windows and was revealed by IT security firm Seculert, in December 2012 (trusteer.com, October 24, 2013). It falls in a category of virus called ‘Trojan Horse’ that does not replicate by itself and gains administrator access to the operating system (OS) [of POS] while appearing to perform a desirable function with the intention of delivering a “payload” with a backdoor that allows unauthorized access to the POS. The payload allows hackers to upload customer data to the attackers’ remote servers hosted in Republic of Seychelles. The data is used to obtain customer card details and use them to steal, propagate fraud, clone bank cards and sell the information to underground forums.  The malware does not affect the card verification value (CVV) numbers and Pins. (Visa Security Alert, 2012).

The versions of windows affected are; 50 percent of the infected systems run Windows XP, 17 percent run Windows Home Server, 9 percent run Windows Server 2003 and 7 percent run Windows 7 (trusteer.com, October 24, 2013).

How POS get infected

 POS systems are infected via drive-by downloads, misconfigured firewalls, using manufacturer system default passwords, and public Wi-Fi.

Dealing with Infected POS Devices

 a.        System Users / Agents

 Take the device offline (remove the network connection cable) and switch off to prevent propagation in the network;

b.       IT Administrators

 If the POS system is infected, remove it from network and consider using dial-up temporarily until entity believes the environment has been contained (Visa Security Alert, 2012);

  • Block the malicious IPs and domains (listed below) on the firewall and intrusion detection system;
  • Notify the manufacturer.

4.        Mitigation strategy POS environment from ‘Dexter’

  1. Visa recommends that clients, merchants, and agents review the list below of malicious domains and IP addresses to monitor and block them from their firewall, Intrusion Detection System (IDS), and Intrusion Prevention System (IPS) rule;
  • 11e2540739d7fbea1ab8f9aa7a107648.com
  • 7186343a80c6fa32811804d23765cda4.com
  • e7dce8e4671f8f03a040d08bb08ec07a.com
  • e7bc2d0fceee1bdfd691a80c783173b4.com
  • 815ad1c058df1b7ba9c0998e2aa8a7b4.com
  • 67b3dba8bc6778101892eb77249db32e.com
  • fabcaa97871555b68aa095335975e613.com
  • 173.255.196.136
  • 176.31.62.77
  1. POS systems are up-to-date with manufacturer authorized security patches;
  2. Implement file integrity monitoring (FIM) and network-based intrusion detection on POS systems and related networks to detect abnormal behavior;
  3. For POS using public Wi-Fi; Segmenting the public network from POS network;
  4. Implement logging and monitor logs for abnormal behaviour (Visa Security Alert, 2012);
  5. System owners to champion POS environment to be certified using the Payment Card Industry Data Security Standards (PCI-DSS) and Europay, MasterCard and Visa (EMV) standards.

References

[1]        Dexter malware still a threat: expert. Retrieved 8th November, 2013, from http://www.techcentral.co.za/dexter-malware-still-a-risk-expert/44828/

[2]        Visa (2012),Visa Data Security Alert December 2012.Visa. Retrieved 8th November, 2013, from http://www.techcentral.co.za/dexter-malware-still-a-risk-expert/44828/

[3]        Protecting POS Systems from Dexter and Other Advanced Malware. Retrieved 8th November, 2013, from http://www.trusteer.com/blog/protecting-pos-systems-from-dexter-and-other-advanced-malware

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s