South African banks have sustained millions of dollars worth of losses after criminals obtained payment card data from electronic point-of-sale terminals infected with Dexter malware, according to published news reports.
Hundreds of thousands of people have probably been affected by the fraud, which was primarily focused on KFC outlets and other South African fast-food restaurants, Bloomberg News reported Tuesday. The news service quoted an official with the Payments Association of South Africa as saying: “There’s not a single bank that hasn’t been affected.” In all, losses come to tens of millions of South African rand, which converts to millions of US dollars.
South Africa-based TechCentral, citing Payments Association CEO Walter Volker, said the card data was obtained from point-of-sale terminals infected with malicious software known as Dexter malware. The Dexter malware, which uploads the contents of a terminal’s computer memory to remote servers controlled by criminal syndicates, first came to light ten months ago. It’s capable of isolating payment cards’ Track 1 and Track 2 data contained in memory dumps. Previously, it had infected hundreds of terminals at big-name retailers, hotels, restaurants, and other businesses located in North America and Europe, according to researchers at Seculert, the Israel-based security firm believed to have discovered Dexter malware. The Dexter malware gets its name from a text string found in one of its files.
“It took quite a while to get to the bottom of [this incident], because it was not the standard Dexter malware, which has been around for a while, and which many antivirus software programs can pick up,” Volker told TechCentral. “This one was a variant that was changed to [avoid detection] by the antivirus software.”
When customers used their cards at one of the affected restaurants, the infected terminals sent the data to criminals who were most likely located in another country, Volker said. Card verification value numbers located on the backs of cards weren’t affected by the malware, preventing the operators from making many online purchases against the cards. Still, the card data may be sold in underground forums and exploited to make card clones that can be used in physical stores.
Researchers still don’t know precisely how Microsoft Windows-based terminals are infected by Dexter. Terminals typically aren’t used to browse websites or read e-mail, making it unlikely that drive-by Web exploits or phishing e-mails are the culprits. More likely vectors are the administration tools used to remotely update the point-of-sale computers. A few years ago, a group of Romanian men were indicted for ringing up $3 million in fraudulent charges after exploiting weakness in remote desktop software used at 150 Subway Sandwich shops 50 small retailers.