STE WILLIAMS

Crooks have developed a new Mac OS X-specific Trojan that mimics the behaviour of a legitimate software installer.

Trojan-SMSSend-3666, which poses as an application for listening to music on a popular Russian social networking site, attempts to hoodwink marks into handing their mobile number to activate the radio app. Users are asked to enter their phone number into an appropriate field and then specify the code sent to the mobile in an SMS.

In the process victims are charged for a premium-rate text message and sign themselves up for regular debits. In return, they get nothing beyond an application that can be downloaded for free from elsewhere on the net, at best.

“The malicious scheme used to spread this Trojan is notorious among many Windows users but until now it hasn’t been employed to deceive owners of Macs,” notes Russian antivirus firm Dr Web.

Trojan-SMSSend-3666 was built using “affiliate programme” ZipMonster, which helps fraudsters craft fake installers and assists in collecting payments for the distributors of the malware. Crooks have been encouraged to migrate from cooking up fake Windows installers to creating fraudulent Mac OS X apps, in this case a fake VKMusic 4 for Mac OS X set-up utility.

Dr Web has a full write-up of the threat, including screenshots, in a blog post here. The Next Web notes that Apple has updated its virus definition files to block the scam.

This won’t, of course, prevent possible future variants of the malware emerging, which may appear under a slightly different guise. The days of Windows-only desktop malware are long over, certainly since the appearance of the Flashback Trojan this year. If you’re an Apple Mac OS X user on the web, caution is advised.

Fake installer scams have already been seen in the field of smartphone malware. Some notable cases of premium service abusers include malicious versions of Bad Piggies and Adobe Flash Player for Android, Trend Micro reports. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/17/mac_fake_installer_malware/

Windows users were surprised to find that a Microsoft security update stopped fonts from working on their PCs.

Security update KB2753842 has killed certain fonts on PCs where it has been installed, rendering many of them unusable, and causing problems for designers and businesses who rely on using the types in their work.

Intended to cover a weakness in the OpenType Compact Font Format (CFF) driver, the update was marked “high priority” but many users have uninstalled it because it causes many fonts to stop working.

A commenter on design blog GraphicsUnleashed explained the damage it was causing his/her business:

CorelDraw is screwed, Quark is screwed, WE ARE SCREWED. We have client jobs that we cannot work on thanks to this update.

Uninstalling the patch restores fonts, but this presumably leaves users open to the security risks that Microsoft was trying to fight. A second commenter mused on the danger that Microsoft was trying to patch:

I have thousands of fonts and have yet to see (or hear) of one that would trigger the security problems supposedly resolved by this update. If there is truly such a huge security risk, Microsoft needs to find a way to close the security hole without causing so many valid fonts to stop working.

We’ve asked Microsoft for a comment, but have yet to receive a reply. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/17/windows_security_update_kills_fonts/

Security firm McAfee warns that there is a credible threat of a coordinated Spring offensive against at least 30 US banks next year by Eastern European fraudsters.

Talk of Project Blitzkrieg started after a message in September on a hacking board from a user identifying himself as vorVzakone, who was looking for recruits for a campaign against US banks, credit unions, and investment houses. The poster claims to have made $5m from a similar job in 2008 and posted malware screenshots of the code to be used.

It had been suspected that the vorVzakone character was in fact a sting by the Russian security services. But McAfee Labs, after studying the information posted and cross-referencing it with its own malware logs, suspects the threat may be real and more widespread than first thought, and Fidelity, E*Trade, Charles Schwab, PayPal, Citibank, Wachovia, Wells Fargo, Capital One, and others are at risk.

The McAfee team thinks the malware package that is being used is a variant of a four year-old family of trojans dubbed Gozi. A new version, dubbed Gozi Prinimalka and said to have a payload more advanced than Zeus or other banking-optimized malware, and has been quietly spreading in targeted attacks, with varying degrees of success.

“Not only did we find evidence validating the existence of an early pilot campaign operated by vorVzakone and his group using the Trojan Prinimalka that infected at a minimum 300 to 500 victims across the United States, but we were also able to track additional campaigns as a result of the forum posting,” wrote the report’s author Ryan Sherstobitoff, a threats researcher with McAfee Labs.

“Some recent reports argue that vorVzakone has called off this attack because it has been made public. Yet it is possible that the publicity may merely drive his activities deeper underground.”

The command and control servers used in the previous Prinimalka attacks are largely found in Romania, Russia, and the Ukraine, with an outpost in The Netherlands. Sherstobitoff said that the fact that new Prinimalka command and control servers are now starting to pop up outside these zones suggests that there are new recruits to the plan, and he warns security teams to be ready and alert.

“These campaigns will not initially target hundreds or thousands of victims; rather they will stay under the radar by attacking selected groups,” he said.

“This strategy is necessary if the attackers hope to succeed in transferring several million dollars over the course of the project. A limited number of infections reduces the malware’s footprint and makes it hard for network defenses to detect its activities.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/15/mcafee_bank_attack_trojan/

A Dutch teenager successfully hijacked 20,000 Twitter profiles to post a message dissing their owners for being slack with security.

Damien Reijnaers (@DamiaanR), 16, also induced his victims into tipping their hat to him for helping them to point out the error of their ways in the same update. He pulled off the trick by getting victims to sign up to a supposed profile comparison tool for daters called Pas jij bij mij? (Do you belong to me?) … Users who linked his app to their Twitter accounts were asked to grant the application permission to post updates.

The small print (as shown in Twitter’s illustration of Twitpic’s permissions screen) isn’t even that small…

This ability was explained in the not-so-small print Twitter requires when users authorise a third-party application – something the victims apparently failed to heed, according to Dutch media reports. RTL Nieuws adds that Reijnaers previously uncovered a Facebook security flaw three years ago, aged only 13.

The update (example here), posted on Thursday morning, said:

Hoe slecht gaan mensen met hun twitter account om… groetjes, Damiaan Reijnaers. ‪@NUnl‬ ‪@telegraaf‬ ‪@tweakers‬ ‪@nos‬ ‪@geen_stijl‬ ‪@volkskrant‬

This translates to “How badly people treat their Twitter accounts… Regards, Damien Reijnaers.”

A quick search reveals that several hundred Twitter profiles, at least, were induced to make the update.

The prank does illustrate a wider privacy problem in both social media and mobile apps. Many request permissions they don’t strictly need to perform their core functionality and these permissions can be abused, threatening user privacy in the process.

This is a difficult problem to solve because users simply don’t have the time to pore through the often verbose, complicated terms and conditions or term of use statements attached to applications. Simple summaries in plain English (or Dutch) may help, but many users are likely to ignore even these. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/14/twitter_hijack_prank/

Microsoft has dismissed allegations that Internet Explorer can allow attackers to track the position of the user’s mouse cursor, arguing that the original report was self-serving and that the observed behavior does not represent a credible threat.

“From what we know now, the underlying issue has more to do with competition between analytics companies than consumer safety or privacy,” Dean Hachamovitch, corporate VP of Microsoft’s Internet Explorer group, said in a blog post.

On Wednesday, web analytics company Spider.io disclosed a method by which hackers can use just a few lines of JavaScript code to monitor and record the position of the user’s cursor whenever IE is running, even when the browser window is inactive or minimized.

The company said the alleged vulnerability is present in IE versions 6 through 10, and that although it had disclosed the threat privately to the Microsoft Security Research Center, Redmond had said it had “no immediate plans” to issue a patch.

“The vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month,” Spider.io said.

But on Thursday, Hachamovitch argued that Spider.io was only concerned about what these web analytics companies were allegedly doing because Spider.io is itself a web analytics company, and that its complaints, purportedly on behalf of users, were really motivated by commercial concerns.

“The only reported active use of this behavior involves competitors to Spider.io providing analytics,” Hachamovitch wrote.

In its initial report, Spider.io claimed that by recording the movement of a user’s mouse cursor on the screen, attackers could potentially monitor what users type into onscreen keyboards and virtual keypads, allowing them to record passwords and other sensitive data.

Unlikely, Hachamovitch said.

“Getting all the pieces to line up in order to take advantage of this behavior – serving an ad to a site that asks for a logon, the user using an on screen (or virtual) keyboard, knowing how that onscreen keyboard works – is hard to imagine,” he wrote. “From our conversations with security researchers across the industry, we see very little risk to consumers at this time.”

In a separate blog post on Friday, Spider.io said, “We do not feel at all comfortable participating in this public debate.” But they went ahead anyway.

“According to existing privacy standards, it is not ok for a browser to leak your mouse co-ordinates outside of the particular browser window,” company reps wrote. “Should Microsoft fix this bug? This is a matter for the public to decide – in particular, it’s a matter for the privacy experts.”

Curiously enough, however, the second paragraph of Hachamovitch’s blog post begins with a rather germane sentence: “We are actively working to adjust this behavior in IE.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/14/ie_mouse_tracking_rebuffed/

To the author of ‪Elk Cloner‬, the first computer virus to be released outside of the lab, it’s sad that, 30 years after the self-replicating code’s appearance, the industry has yet to come up with a secure operating system.

When Rich Skrenta, created Elk Cloner as a prank in February 1982, he was a 15-year-old high school student with a precocious ability in programming and an overwhelming interest in computers. The boot sector virus was written for Apple II systems, the dominant home computers of the time, and infected floppy discs.

If an Apple II booted from an infected floppy disk, Elk Cloner became resident in the computer’s memory. Uninfected discs inserted into the same computer were given a dose of the malware just as soon as a user keyed in the command catalog for a list of files.

Infected computers would display a short poem, also written by Skrenta, on every fiftieth boot from an infected disk:

Elk Cloner: The program with a personality

It will get on all your disks It will infiltrate your chips Yes it’s Cloner!

It will stick to you like glue It will modify ram too Send in the Cloner!

Elk Cloner, which played other, more subtle tricks every five boots, caused no real harm but managed to spread widely. Computer viruses had been created before, but Skrenta’s prank app was the first to spread in the wild, outside the computer system or network on which it was created.

Rich Skrenta today

“I was a geek and a computer nerd, interested in all aspects of technology,” he says. “I wanted to build a robot but there was no kit available and I had no mechanical skills. At elementary school, I used to experiment with vacuum tube radios but the slightest mistake during construction meant they didn’t work. I didn’t even find it easy putting together railway sets.”

“With programming I discovered a way to mimic things I saw in the movies,” Skrenta says, noting that some of his favourite films at the time were 2001: A Space Obyssey and Colossus: The Forbin Project.

“The physical stuff was frustrating by comparison,” he added.

Skrenta received an Apple II Computer as a Christmas gift in 1980. “It took over my life. I spent every waking hour immersed in computer games and programming.”

Skrenta wrote his own text-based adventure game, the opening of which placed the gamer into the role of a survivor of an airliner crash. This taught him to program in Basic and he later picked up assembly language skills.

The Apple II came with two floppy disk drives, and enthusiasts shared software and games through computer clubs. Software piracy was rife, and Skrenta was right in the middle of the scene.

“I was a member of a computer club in Pittsburg. I used to copy software and share it with friends. There was a thriving pirate software market and people used to exchange games and software on floppy discs,” he explains.

It was this that got him thinking about how he could use this mechanism to play tricks on his pals. He sometimes altered the floppy discs he shared with friends so that they would display on-screen messages or shut down thier computer.

Booby trap

“I decided to booby trap new games to put up a message,” he recalls. “I gave a floppy to one of the guys at the computer club, and it worked. At the time I though it was hysterically funny.

“I did a couple of more pranks before people wouldn’t let me touch their discs any more.”

This got him thinking: could he alter the contents of a floppy disc without touching it? His experiments led him to develop program that would run in the background, checking for the presence of a new disk and, if it found one, could modify files stored on the disk.

The result of this work was a program that, in effect, was coded to hop from disk to disk, propagating itself from machine to machine. The first virus, Elk Cloner, was born.

“Tech books on hacking the Apple II covered system entry points, such as turning on the disc drive motor. One of the core applications, System Monitor, had holes in it. Elk Cloner used those holes.”

Floppy target: Brain A was the first Windows virus

Source: Mykko Hypponen, F-Secure

Elk Cloner took about two weeks to write in assembly language, Skrenta recalls. And if it’s mode of operation sounds simple, making it actually happen was quite a technical challenge. His earlier adventure game took longer but was more creative, like making a puzzle.

“It worked like a charm and spread all over the place,” Skrenta remembers with a chuckle. His cousins in Batimore and – years later, he discovered – a friend in the US Navy were among those whose computers caught the virus.

Not that there weren’t ways of avoiding infection.

“Elk Cloner created a rattling noise when the program started. If a disc was infected you could hear it. If you inserted an infected disc in an Apple II you can hear the head swoosh sound, an audible signature.

“It would infect a new disc if machine wasn’t rebooted. If an Apple II was rebooted every time, Elk Cloner wouldn’t have spread. But, given people computer habits, it spread like crazy,” Skrenta explained.

Next page: Collaring the culprit

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/14/first_virus_elk_cloner_creator_interviewed/

The government has decided to stop short of forcing telcos to filter websites at a network level, after discovering that there wasn’t a major “appetite” for such a system among parents who want to prevent their kids from accessing supposedly inappropriate material online.

Instead, Whitehall wants the ISP industry to advise and steer its customers towards making an “active choice” about the kind of content they want their children to see on websites by offering software that blocks out, for example, pornography and self-harming sites.

The government made the apparent climbdown in response [PDF] to a 10-week public consultation process that was ironically blighted by website problems that followed a serious privacy gaffe by the Department for Education, which led to it being found to have breached the Data Protection Act by the Information Commissioner’s Office.

Prime Minister David Cameron had previously indicated that he wanted telcos to follow the lead of TalkTalk, which was the first big name ISP to introduce network-level filtering of websites for its customers.

The government said today:

It is… clear that in accepting that responsibility, parents want to be in control, and that it would be easier for them to use the online safety tools available to them if they could learn more about those tools.

They also want information about internet safety risks and what to do about them. There was no great appetite among parents for the introduction of default filtering of the internet by their ISP: only 35 percent of the parents who responded favoured that approach. There were even smaller proportions of parents who favoured an approach which simply asked them what they would like their children to access on the internet, with no default settings (13 percent) or a system that combines the latter approach with default filtering(15 percent).

In effect, the government’s three propositions for how parents might police their kids’ access to the internet were pooh-poohed by those responding to the consultation paper.

The government continued:

Although there was only minority support among parents for the three options consulted on, the government does not believe parents are uninterested in their children’s safety online: the very high percentages of parents who think they have the responsibility for their children’s safety suggests otherwise.

However, the offer to parents should be reformulated in a way that ensures that children can be given the levels of protection their parents think is appropriate for them, reduces the risk of uninterested parents avoiding online safety issues, and does not impose a solution on adult users or non-parents.

As recently as last month, the Daily Mail – which has led a huge campaign against online smut even as it continues to titillate its readers with tons of women in bikinis – suggested that Cameron was about to call for a tightening up of parental controls online. That report cited Downing Street sources.

It’s now unclear if that story was absolute poppycock or if No 10 had a last-minute change of heart based on the tepid responses it received from the public consultation.

Either way, the Internet Service Providers’ Association (ISPA) welcomed the move.

“Online safety is a shared responsibility between parents and the wider industry, including ISPs, manufacturers and retailers, via providing easy to use tools, advice and information,” the lobby group’s secretary general Nick Lansman told The Register.

“ISPA will be working further with government and others on next steps.”

ISPs will be expected to urge their customers to switch on parental controls, the government said, where children are in the household and using the interwebs.

It noted that the big four telcos in Blighty – BT, BSkyB, TalkTalk and Virgin Media – had already done a great deal with so-called “active choice” by offering a range of tools to their subscribers.

Whitehall said:

The government is urging providers to go one step further and configure their systems to actively encourage parents, whether they are new or existing customers, to switch on parental controls. The government believes providers should automatically prompt parents to tailor filters to suit their child’s needs e.g. by preventing access to harmful and inappropriate content.

However – for now at least – the decision to effectively censor such material from the prying eyes of youngsters is left squarely at the door of parents. Telcos will not be forced to police such filtering of content.

Meanwhile, the government is asking ISPs “to put in place appropriate measures to check that the person setting up the parental controls is over the age of 18.”

It also called on the tech industry as well as retailers to “develop universally-available family friendly internet access which is easy to use.” Downing Street is hoping to see devices supplied with such tools to become a standard feature.

Whitehall said:

Government will not prescribe detailed solutions, but we will expect industry to adapt the principles of this approach to their services, systems and devices so that their customers, and particularly parents and children, have highly-effective, easy to use and free tools that facilitate children’s safety online.

In April this year, the telco industry lambasted an independent Parliamentary inquiry into online child safety that was chaired by Tory MP Claire Perry by saying that its recommendations were unworkable.

That report had recommended that “ISPs should be tasked with rolling out single account network filters for domestic broadband customers that can provide one-click filtering for all devices connected to a home internet connection within 12 months”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/14/government_response_to_consultation_on_online_parental_controls/

UK cops have arrested three people in Staffordshire on suspicion of running a ransomware scam that fooled victims into paying £100 fines.

A 34-year-old man and a 30-year-old woman from Stoke-on-Trent were cuffed on suspicion of conspiracy to defraud, money laundering and possession of items for use in fraud. A 26-year-old man from Stoke-on-Trent was arrested on suspicion of conspiracy to defraud. All three were taken in for questioning at a Staffordshire police station.

Ransomware malware usually works by preventing an infected computer from starting up or encrypts the PC’s documents. Punters have to pay a non-trivial amount to the fraudster who planted the malware to regain control of their machine and files.

In this case, it’s alleged the ransomware was used to halt the computer and display a bogus warning from the Metropolitan Police Service accusing the user of committing offences online. The “splash” screen for the software would claim the plod had monitored the victim’s activities on the internet. The mark would then have to pay a penalty of £100 to unlock the machine.

In reality, police in the UK don’t levy on-the-spot fines via downloaded software, but that hasn’t stopped miscreants from developing strains of ransomware that try to pull off this type of con. A screenshot of a typical notice generated by bogus police ransomware can be found in this write-up of the Reveton Trojan by Trend Micro .

Ransomware scams have become increasingly prevalent in recent months, and that may have sparked this latest investigation by officers from the Met’s Police Central e-Crime Unit (PCeU).

PCeU detectives based in London and the outfit’s North West hub, along with officers from Staffordshire Police, searched three addresses on 11 December before arresting the trio.

In a statement, Detective Inspector Jason Tunn, from the PCeU, said: “The arrests show we are determined to combat this type of crime. I remind all computer users that police do not use such a method to impose or enforce fines, so if you are confronted by such a page do not enter any of your details.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/14/ransomware_suspects_cuffed/

Analysis of IRC logs and open source intelligence played a key role in the successful police prosecution that led up the conviction of a member of Anonymous for conspiracy to launch denial of service attacks against PayPal and other firms.

Christopher “Nerdo” Weatherhead, 22, was convicted on one count of conspiracy to impair the operation of computers following a guilty verdict by a jury at Southwark Crown court last week.

Weatherhead, 22, was studying at Northampton University when he allegedly took part in “Operation Payback”, the DDoS campaign launched by the hacktivists in defence of whistle-blowing site WikiLeaks. Targets included the entertainment industry and later financial services firms that had suspended payment processing of donations to WikiLeaks after it controversially published leaked US diplomatic cables in late 2010.

Ashley Rhodes, 27, from Camberwell, south London; Peter Gibson, 24, from Hartlepool; and an 18-year-old male had already pleaded guilty to the same charge, relating to offences that took place between August 2010 and January 2011.

Payback’s a bitch

Sandip Patel, prosecuting, said that attacks by various Anonymous hacktivists had cost PayPal £3.5m ($5.5m) and forced it to call in 100 staff from parent firm eBay in order to keep its website up and running over the course of a series of DDoS assaults that spanned several weeks.

The attacks were launched using the Low Orbit Ion Canon (LOIC) packet-flooding tool widely used by Anonymous at the time. LOIC spills the IP addresses of those taking part in attacks. However evidence from IRC channels where the hacktivists hung out and planned attacks was the more important evidence in the police investigation.

Operation Payback attacks began against firms known to oppose copyright piracy (such as those of the Ministry of Sound nightclub, the British Recorded Music Industry and the International Federation of the Phonographic Industry) before the hacktivists switched targets to concentrate packet-slamming assaults on payment-processing firms including PayPal and MasterCard – which had angered Anonymous by choking off a source of income to WikiLeaks.

Sniffing around in AnonOps’ channel

Weatherhead (Nerdo) was a network administrator and among a small group of leaders on an AnonOps IRC channel that became the focus of a police investigation, spearheaded by members of Scotland Yard’s Police Central eCrime Unit.

Former Detective Constable Trevor Dickey, who has left the Met and found work in the private sector since the successful conclusion of the investigation, explained: “In a nutshell we identified Weatherhead via the IRC network.”

“We identified their IRC channels and captured several weeks of chat. During that time we looked at the status of NICs such as admins and operators,” he added.

“We then did some keyword searching and spent a lot of time looking social leakage. Combining all these elements we then identified the NICs of interest and did open source research on them. Weatherhead was easy to identify as he had been using the NIC of ‘Nerdo’ for quite some time,” he concluded.

Ray Massie, a self-employed computer forensic and open-source training consultant who served as a detective sergeant with the Met Police and led the investigation, explained that UK police decided to target the administrators of Anonymous-run channels, focusing on instigators of attacks rather than Anonymous “foot soldiers” otherwise involved in DDoS assaults. This is contrast to US law enforcement clampdowns, which also targeted simple participants in hacktivist actions who had played no part in selecting targets or planning attacks.

“We went after organisers and facilitators rather than foot soldiers. US authorities went after a mix,” Massie explained.

The police operation began in October 2010 with attacks on the Ministry of Sound and the BPI. “It was quickly clear that Anonymous was running similar attacks against different anti-piracy organisations in the USA, Germany, France, Spain and elsewhere. They would select a target, post the named of a target online along with dates and times of an attack and, in some cases, a countdown clock. Everything from signposted from IRC channels.”

Massie explained that over time, hacktivists made more use of Facebook and Twitter but this was mainly for promotion and propaganda. “Would-be participants were directed to IRC channels, where plans were all laid out,” he said. Links provided on IRC provided advice on how to use LOIC (the favoured DDoS attack tool of Anonymous at the time), how to cover their tracks, and other hacker trade-craft tips.

Next page: Leaderless collective? I don’t think so…

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/14/uk_anon_investigation/

You could be getting more than you bargained for when you swipe your credit card this holiday shopping season, thanks to new malware that can skim credit card info from compromised point-of-sale (POS) systems.

First spotted by security firm Seculert, the malware dubbed “Dexter” is believed to have infected hundreds of POS systems in 40 countries worldwide in recent months. Companies targeted include retailers, hotel chains, restaurants, and private parking providers.

The US, the UK, and Canada top the list of countries where the malicious app has been found, accounting for 30 per cent, 19 per cent, and 9 per cent of the total number of affected systems, respectively.

This certainly isn’t the first time cybercrooks have targeted POS systems. In fact, such attacks are becoming increasingly common – which is no surprise, given how lucrative they can be.

In September, four Romanian hackers pled guilty to charges that they hacked into the POS systems of 150 Subway sandwich shops in the US. Their scheme reportedly lasted two years, during which time they were able to make off with more than $10m in fraudulent charges and funds transfers from stolen payment cards.

What sets Dexter apart from earlier incidents, however, is its relative sophistication.

Most hacks targeting POS systems – the Romanian job included – are essentially spyware attacks in which crooks use Remote Desktop exploits or other means to grab screenshots of the affected systems. In essence, the thieves are simply reading credit card information off the POS screens.

Dexter, on the other hand, uses a more subtle approach – and a more thorough one. Once the malware is installed on a POS system, it grabs the machine’s list of active processes and sends them to a command-and-control server – a highly unusual step for POS malware, according to security researchers at Trustwave.

If the server determines that any of the programs currently running on the machine correspond to known POS software, it orders Dexter to dump the memory of those processes, parse them for payment card–related data, and upload that data to the server, so that criminals can use it to clone the cards.

That much we know. What isn’t known is just how Dexter finds its way onto POS terminals to begin with. According to Seculert, about 30 per cent of the POS systems targeted were running Windows Server, which makes it unlikely that the malware was installed using typical social-engineering or drive-by web download methods.

Still, if you do encounter unrecognized charges on your credit card bill in the coming months, now you know what to tell the bank when you call to dispute the transactions: “It wasn’t me. It was that POS system that swiped my card!” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/12/14/dexter_malware_targets_pos_systems/