PoS RAM scraper malware; past, present and future

From Botnets.fr
Revision as of 18:35, 17 July 2015 by Eric.freyssinet (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

PoS RAM scraper malware; past, present and future
Botnet Rdasrv, Alina, VSkimmer, Dexter, BlackPOS, Decebal, JackPOS, Soraya, ChewBacca, BrutPOS, Backoff
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2014 /
Link http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf (Archive copy)
Author Numaan Huq
Type White paper


Payment Card Data Theft

Stealing payment card data has become an everyday crime that yields quick monetary gains. The goal is to steal the data stored on the magnetic stripe of payment cards, clone the cards, and run charges on the accounts associated with them. Criminals have been physically skimming payment cards such as debit and credit cards for a while now. The common techniques for skimming payment cards include but are not limited to the following:

  • Making a rub of payment cards
  • Rigging ATMs or gas pumps with fake panels that steal data
  • Modifying stores’ point-of-sale (PoS) terminals
  • Using off-the-shelf hardware keyloggers on cash registers [1]

The techniques mentioned above require physical access to the cards or the devices used to process them. As such, criminals face big risks of getting apprehended. Also, skimmers cannot be readily mass-deployed for maximum effectiveness. Criminals have, therefore, resorted to using malicious software to steal data primarily from credit cards. Such solutions provide them a certain degree of anonymity, are easier to deploy, and are more flexible should they wish to quickly modify their solutions in order to adjust to changing conditions.

This research paper focuses on credit card data theft, which makes up the majority of the payment card data breaches seen to date. The earliest credit-card-data-stealing malware were primarily keyloggers that, in most cases, were installed on victims’ systems as a payload of other malware or through phishing attacks. As effective as keyloggers are, they cannot capture all of the magnetic stripe data on credit cards and yield less data than RAM scraping. Two major developments have been seen in credit-card data-stealing malware and the criminals who use them:

  • To exponentially increase their payback from stealing credit card data, criminals are now directly targeting the businesses that process credit cards instead of going after individual victims.
  • Criminals are exploiting the fact that credit card magnetic stripe data temporarily resides in plain text in the RAM of PoS devices during processing.

Early Warnings

The earliest evidence of PoS RAM scraping was recorded in a Visa® Data Security Alert issued on 2 October 2008. Before standalone PoS RAM scraper malware were developed, cybercriminals were attempting to install debugging tools on PoS devices in order to dump entire sets of magnetic stripe data. The Visa report revealed that such debugging tools could effectively parse unencrypted sensitive data not written to disk from volatile memory (i.e., RAM). Visa identified that cybercriminals obtained access to PoS devices through insecure remote access or poorly configured networks.

In 2009, Verizon also introduced PoS RAM scrapers, along with victim profiles. Back then, the malware only accounted for 4% of the total number of breaches Verizon investigated. These primarily targeted companies in the retail and hospitality industries. Verizon had a difficult time classifying the attacks because they were new. In this year’s report, the number of PoSRAM-scraper-related breaches rose to 14% of the total and primarily targeted companies in the accommodation, food services, and retail industries. The United States Computer Emergency Readiness Team (US-CERT) also formally issued an alert on malware targeting PoS devices on 2 January 2014, after targeted attacks against big name retailers made headlines. The attackers used PoS RAM scrapers to steal credit card data.

Research Overview

This research paper examines the PoS ecosystem. It describes how PoS transactions work from the moment customers swipe their credit cards to when they get charged for their purchases. It describes what types of data resides in the magnetic stripe of payment cards. It looks at the evolution of PoS RAM scrapers—from their humble beginnings to how they have become today’s industrialized threats. It also presents the various PoS RAM scraper infection methods by providing technical overviews of the most prevalent PoS RAM scraper malware families that have affected businesses to date. It details the datae xfiltration techniques used by PoS RAM scrapers and examines what happens to the data that cybercriminals exfiltrate. It also attempts to predict future PoS attack vectors. Finally, the paper provides prevention strategies that companies can follow to protect against PoS RAM scrapers.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2014BFR1597,
   editor = {},
   author = {Numaan Huq},
   title = {PoS RAM scraper malware; past, present and future},
   date = {28},
   month = May,
   year = {2014},
   howpublished = {\url{http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf}},