Close Menu
TechCentralTechCentral

    Subscribe to the newsletter

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    Facebook X (Twitter) YouTube LinkedIn
    WhatsApp Facebook X (Twitter) LinkedIn YouTube
    TechCentralTechCentral
    • News

      Vodacom’s Maziv deal gets makeover ahead of crucial hearing

      18 July 2025

      Cut electricity prices for data centres: Andile Ngcaba

      18 July 2025

      Takealot taps Mr D to deliver toys, pet food and future growth

      18 July 2025

      ‘Oh, Ani!’: Elon’s edgy bot stirs ethical storm

      18 July 2025

      Trump U-turn on Nvidia spurs talk of grand bargain with China

      18 July 2025
    • World

      Grok 4 arrives with bold claims and fresh controversy

      10 July 2025

      Samsung’s bet on folding phones faces major test

      10 July 2025

      Bitcoin pushes higher into record territory

      10 July 2025

      OpenAI to launch web browser in direct challenge to Google Chrome

      10 July 2025

      Cupertino vs Brussels: Apple challenges Big Tech crackdown

      7 July 2025
    • In-depth

      The 1940s visionary who imagined the Information Age

      14 July 2025

      MultiChoice is working on a wholesale overhaul of DStv

      10 July 2025

      Siemens is battling Big Tech for AI supremacy in factories

      24 June 2025

      The algorithm will sing now: why musicians should be worried about AI

      20 June 2025

      Meta bets $72-billion on AI – and investors love it

      17 June 2025
    • TCS

      TCS+ | Samsung unveils significant new safety feature for Galaxy A-series phones

      16 July 2025

      TCS+ | MVNX on the opportunities in South Africa’s booming MVNO market

      11 July 2025

      TCS | Connecting Saffas – Renier Lombard on The Lekker Network

      7 July 2025

      TechCentral Nexus S0E4: Takealot’s big Post Office jobs plan

      4 July 2025

      TCS | Tech, townships and tenacity: Spar’s plan to win with Spar2U

      3 July 2025
    • Opinion

      A smarter approach to digital transformation in ICT distribution

      15 July 2025

      In defence of equity alternatives for BEE

      30 June 2025

      E-commerce in ICT distribution: enabler or disruptor?

      30 June 2025

      South Africa pioneered drone laws a decade ago – now it must catch up

      17 June 2025

      AI and the future of ICT distribution

      16 June 2025
    • Company Hubs
      • Africa Data Centres
      • AfriGIS
      • Altron Digital Business
      • Altron Document Solutions
      • Altron Group
      • Arctic Wolf
      • AvertITD
      • Braintree
      • CallMiner
      • CambriLearn
      • CYBER1 Solutions
      • Digicloud Africa
      • Digimune
      • Domains.co.za
      • ESET
      • Euphoria Telecom
      • Incredible Business
      • iONLINE
      • Iris Network Systems
      • LSD Open
      • NEC XON
      • Network Platforms
      • Next DLP
      • Ovations
      • Paracon
      • Paratus
      • Q-KON
      • SevenC
      • SkyWire
      • Solid8 Technologies
      • Telit Cinterion
      • Tenable
      • Vertiv
      • Videri Digital
      • Wipro
      • Workday
    • Sections
      • AI and machine learning
      • Banking
      • Broadcasting and Media
      • Cloud services
      • Contact centres and CX
      • Cryptocurrencies
      • Education and skills
      • Electronics and hardware
      • Energy and sustainability
      • Enterprise software
      • Fintech
      • Information security
      • Internet and connectivity
      • Internet of Things
      • Investment
      • IT services
      • Lifestyle
      • Motoring
      • Public sector
      • Retail and e-commerce
      • Science
      • SMEs and start-ups
      • Social media
      • Talent and leadership
      • Telecoms
    • Events
    • Advertise
    TechCentralTechCentral
    Home » In-depth » How the Dexter malware works

    How the Dexter malware works

    By Duncan McLeod17 October 2013
    Twitter LinkedIn Facebook WhatsApp Email Telegram Copy Link
    News Alerts
    WhatsApp

    credit-card-640

    A major security breach involving the theft of South African bank account holders’ details by one or more criminal syndicates may go down as one of the worst such incidents in the country’s history. Criminals infected point-of-sale (POS) terminals in South African fast-food outlets and restaurants with a variant of malware called Dexter.

    But what is Dexter and how does it work?

    TechCentral reported on Tuesday that a variant of the Dexter malware had been inserted into POS terminals — the bank-card readers used in retail outlets and elsewhere — which criminals then used to steal customers’ account numbers. Syndicates typically use these numbers to manufacture cloned cards, which they then use in physical retail stores to buy goods and services.

    South African banks first became aware of the problem earlier this year. Local police, Interpol and Europol are now all involved in a multinational investigation to bring the syndicate or syndicates responsible for the data breach to book.

    Payments Association of South Africa (Pasa) CEO Walter Volker told TechCentral on Tuesday that the data breach, which affects most local card-issuing banks, is significant — running into tens of millions of rand.

    According to information security company Symantec, the card holders’ numbers were stolen using a Trojan that belongs to the Infostealer.Dexter family of malware.

    Wikipedia describes a Trojan as a “hacking program that is a non-self-replicating type of malware that gains privileged access to the operating system [of a device] while appearing to perform a desirable function”. In reality it contains a “malicious payload” that often also has a “backdoor” that allows unauthorised access to the target device.

    Symantec explains that the Infostealer.Dexter Trojan reads the content of an infected POS terminal’s memory, “looking for data from track one and two of the magnetic stripe on the back of bank cards”.

    “The malware then uploads the data to the attackers’ remote servers,” it explains. “While customers’ card verification value (CVV) numbers or Pins were unaffected by the breach, cyber criminals could use the rest of the stolen data to clone bank cards or may sell the information on underground forums.”

    Pasa’s Volker told TechCentral on Tuesday that authorities had already picked up incidents of South African card numbers, compromised by the Dexter variant-infected POS terminals, being used to make in-store purchases in the US. This had led to arrests.

    Denis Makrushin, technology positioning manager at Moscow-based security specialist Kaspersky Lab, says that this type of activity, involving POS terminals, is “relatively rare” worldwide. However, cyber criminals are “always on the lookout for new opportunities”.

    “Skimming card details is not a million miles away from [what’s happened], though conceptually the difference here is access to a bulk of information in one fell swoop,” Makrushin says. “It may be harder to do, but the motivation lies in the fact that the rewards are significantly bigger.”

    A similar incident occurred in October 2012, when criminals gained access to POS devices in retailer Barnes and Noble in the US to steal credit card information, Makrushin adds. The largest numbers of this type of malware infection are in the US.

    He says an “endpoint-security solution” must be installed on each POS terminal to prevent the potential theft of customer information.

    “The malware uses standard techniques such as ‘process-injecting’ and sending data to a remote server, so the security solution should have antivirus and firewall features … and any payment information — the card holder’s name, card number, CVV number — should be encrypted in processing on the terminal.”

    Andrew Kirkland, regional director at Trustwave, explains that the Dexter malware targets Windows-based POS terminals and steals track data from magnetic stripes and sends this to central command-and-control servers.

    “This latest breach demonstrates why all businesses, including franchises, cannot overlook security,” Kirkland says. He cites Trustwave research that shows the primary targets of cyber criminals in 2012 were retail (45%), food and beverage (24%) and hospitality (9%).

    “There are several contributing factors to this continuing trend, such as the fact that the sheer volume of payment cards used in these industries makes them obvious targets, as well as the fact that the main focus of organisations operating in these spaces is customer service, not data security,” he says.  — (c) 2013 NewsCentral Media

    • SA banks in massive data breach
    • Bank cards data breach: Pasa statement


    Andrew Kirkland Denis Makrushin Dexter Dexter malware Kaspersky Kaspersky Lab Pasa Payments Association of South Africa Symantec Trustwave Walter Volker
    Subscribe to TechCentral Subscribe to TechCentral
    Share. Facebook Twitter LinkedIn WhatsApp Telegram Email Copy Link
    Previous ArticleApple brings iTunes vouchers to SA
    Next Article The changing shape of African telecoms

    Related Posts

    Kaspersky to shut its US business under pressure

    16 July 2024

    Biden to ban US sales of Kaspersky antivirus software

    20 June 2024

    Generation Z will change IT forever

    14 August 2023
    Company News

    Vertiv to acquire custom rack solutions manufacturer

    18 July 2025

    SA businesses embrace gen AI – but strategy and skills are lagging

    17 July 2025

    Ransomware in South Africa: the human factor behind the growing crisis

    16 July 2025
    Opinion

    A smarter approach to digital transformation in ICT distribution

    15 July 2025

    In defence of equity alternatives for BEE

    30 June 2025

    E-commerce in ICT distribution: enabler or disruptor?

    30 June 2025

    Subscribe to Updates

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    © 2009 - 2025 NewsCentral Media

    Type above and press Enter to search. Press Esc to cancel.