Urgent Visa Data Security Alert

with No Comments

An urgent security alert has been issued for Visa Point-of-Sale Systems. All Versitouch customers with POS systems which are connected to the internet should refer to the following information for securing your systems from being targeted by the Dexter Malware threat.

PCI Stakeholder:

Visa received recent reports of malicious software called “Dexter” that compromises merchants and their Point
of Sale (POS) systems to steal full magnetic stripe or “track” data from memory and communicates and/or
sends the data to Dexter Command and Control (C&C) domains and IP addresses. Based on Visa’s research, it appears Dexter only infects Microsoft Windows systems. In partnership with external stakeholders, Visa
identified the malicious domains and IPs included in the list below:

• 11e2540739d7fbea1ab8f9aa7a107648.com
• 7186343a80c6fa32811804d23765cda4.com
• e7dce8e4671f8f03a040d08bb08ec07a.com
• e7bc2d0fceee1bdfd691a80c783173b4.com
• 815ad1c058df1b7ba9c0998e2aa8a7b4.com
• 67b3dba8bc6778101892eb77249db32e.com
• fabcaa97871555b68aa095335975e613.com
• 173.255.196.136
• 176.31.62.77

Recommended Mitigation Strategy

It is recommended that clients, merchants, and agents review this list of malicious domains and IP addresses
to monitor and block them from their firewall rule sets. Prior to blocking IPs and domains, Visa also recommends that entities perform due diligence and ensure that blocking will not cause connectivity issues for legitimate access.

In addition to blocking the malicious IPs and domains, Visa clients, merchants, and agents should review the
security controls listed below and implement where appropriate. While these essential security practices do
mitigate critical vulnerabilities, there are many factors that may affect an actual implementation. These
measures alone may not be appropriate or sufficient depending on the implementation of an entity’s IT
infrastructure and its business needs.

1. Ensure POS systems are up-to-date with security patches and anti-virus signature files
2. Implement file integrity monitoring (FIM) and network-based intrusion detection on POS systems and
related networks to detect abnormal behavior
3. Ensure the networks where POS systems reside are properly segmented from nonpayment network
4. Implement logging and monitor logs for abnormal behavior

If malicious software is detected, entities should:
• Take the system offline to prevent propagation
• If the POS system is infected, remove it from network and consider using dial-up temporarily until entity believes the environment has been contained
• If not already completed, block the malicious IPs and domains on the firewall
• Notify your acquirer
• Refer to What To Do If Compromised available on www.visa.com/cisp (under If Compromised)

This information is provided to build awareness of data security and industry best practices, and Payment
system participants should ensure that they are aware of these vulnerabilities and should take steps, where
appropriate, to mitigate risk. It is important that all payment system participants continue to be diligent and
maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS) at all times.
To date, Visa has not seen any active investigations involving this specific Dexter malware. However, this
information is to help educate their merchants and agents and guard against potential compromise