Dexter payment card malware strikes South Africa

By Leo Kelion
Technology reporter

Image caption,
The malware may have been named after the US television show Dexter

South Africa has been hit by one of the biggest cyber-fraud attacks in its history, according to the body that oversees local financial transactions.

The payment card systems of thousands of shops, restaurants and hotels had been compromised, said the Payment Association of South Africa (Pasa).

Losses were thought to be in the "tens of millions, but not hundreds of millions of rands", it said.

It added the attackers had used a new variant of the malware known as Dexter.

Ten million rand is worth £626,000 or just over $1m.

Dexter gets its name from a string of code found in one of its files, which may refer to the US television show that followed the exploits of a serial killer.

The Dexter code was linked to a series of attacks on point-of-sale systems in the UK, US and dozens of other countries towards the end of last year.

It skims and transmits the cards' magnetic-strip information, allowing clones to be made that can then be used for fraudulent purchases,.

Pasa said it believed the criminals responsible were based in Europe, but added it was not sure from which countries.

Copied magstrips

"It's probably the worst [attack] of its kind in terms of the losses," Walter Volker, Pasa's chief executive, told the BBC.

"We started detecting higher levels of fraud at some of these retailers early in the year - from about late-January, February. We initially thought it was a normal seasonal thing, but as the volumes increased we decided to appoint a forensics investigation company.

"Eventually it was able to find this particular malware in some of the locations. Very soon after we found the cause of the compromise, we were able to clean up those sites with anti-malware software."

Image caption,
KFC restaurants were among those to have been targeted

Mr Volker added that while the attack had targeted back-end systems to steal data from the cards' magstrips, it had not stolen Pin codes or CVV payment authentication numbers - meaning the thieves would not have been able to withdraw money from bank cash machines or have used the information to make purchases from internet shops.

"Normal anti-virus software would probably have cleaned up Dexter but it was a particular custom-built variant, which was not detectable with the normal scanning software that everybody's got," Mr Volker added.

"It seems like it was a European-based syndicate - we don't exactly where - but Interpol and Europol are making good progress in trying to apprehend these particular perpetrators."

KFC fast-food restaurants' card systems were among those to have been compromised, according to a statement given by the chain's owner to the Bloomberg news agency.

"We take this extremely seriously," Yum Brands said. "Our first priority is to make sure that the impact on our customers remains minimal."

Bloomberg added that a locally based burger and pizza chain operator, Famous Brands, had also confirmed some of its payment machines had been exposed.

However, Pasa stressed that it would ultimately be the banks - rather than the public or other businesses - that would face losses as a consequence of the attack.

"In terms of the banks, there's probably not a single issuing bank in the country that has not been affected in some way," said Mr Volker.

"The South African card holders - or potentially tourists using their cards at the affected sites - will not be exposed to any losses. It's just the inconvenience of detecting false transactions on their accounts.

"If that has happened they should just contact their issuing bank."

Related Internet Links

The BBC is not responsible for the content of external sites.