RAM Scrapers and Other Point-of-Sale Malware

January 28, 2014

While the breach itself seemed only to impact those of us in the United States, chances are you’re aware that the American retail giant Target suffered an enormous data breach late last year. The credit card information of some 40 million consumers as well as the personal information of an additional 70 million was exposed during the breach that lasted nearly a month – spanning the better part of the holiday shopping season – and affecting nearly every physical Target location in the U.S.


You would think that in order to steal the credit card data of hundreds of millions of Target shoppers, the attackers would necessarily need to have compromised some payment processor or Target’s corporate servers, stealing all the data en masse from one central location. For sure, this would be a good way to go about stealing massive troves of payment data from a retail giant, but, intriguingly, this is not what appears to have happened in the case of Target.

In fact, Target’s payment processor or payment processing system had very little to do with the breach. Whoever is responsible for the attack deployed a special kind of malware that basically targets card readers and cash registers – also known as point-of-sale (PoS) malware.

“Point of sale malware is custom made to scrape this decrypted RAM data and exfiltrate payment information like card numbers, user names, addresses, security codes, and all the other track one and two payment card data”

To be perfectly clear, the attackers most definitely locked into Target’s corporate payment servers in some way. The problem with that though is by the time the card-data makes it to those servers the information has already been encrypted. There is a brief period of time however, where that information must be decrypted in plain-text for payment authorization purposes. At that time, the cash register itself – or a nearby server depending on the system – stores the plain-text payment data in its random access memory (RAM).

This is where PoS malware comes in. PoS malware is custom made to scrape this decrypted RAM data and exfiltrate payment information like card numbers, user names, addresses, security codes, and all the other track one and two payment card data. This broad-class of malware known as RAM scrapers has been around for at least the last six years or so.

In the case of Target, it’s likely that the attackers moved their PoS malware from a centrally located and connected server or machine to the point-of-sale terminals or servers on which the authorization process takes place. Otherwise they would have had install their RAM scraper on every single PoS terminal at every single Target location, which, to say the least, is highly unlikely.

A Seculert researcher examining the incident indicated that the attackers compromised Target’s point-of-sale infrastructure through an infected machine on their network. From there, they reportedly installed a variation of the popular BlackPOS malware, which you can purchase fairly easily in online criminal hacking forums (assuming you know where to look).

According to an advisory issued by a coalition that includes the Department of Homeland Security, the United States Secret Service, the National Cybersecurity and Communications Integration Center, the Financial Sector Information Sharing and Analysis Center, and iSIGHT Partners, BlackPOS is a particularly easy find because its source code was recently made public.

BlackPOS though is not the only sort of PoS malware and Target is by no means the only retailer facing this threat. In fact, the high-end department store Nieman Marcus and the craft retailer Michael’s have announced that they too were the victim’s of a similar attack. Some have suggested that all three breaches are related, but such claims are speculative at best.

The coalition’s advisory warns that PoS malware is on the verge of an explosion. Much of the new samples – they claim – will be simple modification of existing banking trojans like Zeus. As PoS malware becomes increasingly available to criminals and visible to law enforcement, the makers of RAM scrapers (like the makers of banking trojans before them) will begin designing harder-to-detect private trojans for individual sale.

The DHS and company has noticed an uptick in advertisements (across a number of different languages) for PoS malware in freelance developers forums. In other words, criminals are posting what amounts to classified advertisements offering to pay freelance developers to build RAM scrapers for them. They claim that a similar increase in PoS malware occurred in 2010. In the beginning of that year, outsourced POS malware projects were valued between $425 and $2,500. By the end of the 2010, the going rate rose to more than $6,500 as interest in the malware continued to grow.

Furthermore, they believe that the spread of PoS malware will be enabled by existing credential stealing trojans with openly accessible source codes that can be easily modified to perform RAM scraping operations.

“Leaked source code of credential theft malware could provide a starting block for actors who do not have the skill to create an entirely new type of malware from scratch, or for actors seeking to leverage previous work to optimize the efficiency of their scheme,” the advisory reads. “Such lowered barriers to market entry could lead to more types of POS malware offered for sale and therefore eventually lead to cheaper prices and larger user bases.”

This is key. For nearly every facet of cybercrime there exists this paradigm. At first, attacks are novel, hard to perform, and hard to replicate. Eventually these attacks become easier, which gives less skilled attackers the ability to perform them. Beyond that even, skilled attackers start to build easily usable attack kits, which open up cybercrime to nearly anyone with a keyboard and a bad attitude.

This is another situation where there isn’t a whole lot you can do. You obviously can’t walk into your grocery store and replace all the hopelessly vulnerable Windows XP machines that likely manage their PoS infrastructure with a more modern and secure operating system. There is also little you can do to ensure that retailers are following best practices or making sure that every machine on their network is secure.

Another issue is that there are probably a lot of breaches we’ll never hear about, whether if it’s because the victim-company is dishonest or just misinformed (as in, they are refusing to admit or don’t realize a breach has occurred). In the case of Target though, they came forward pretty quickly and they came forward pretty cleanly. Most banks posted notices on their websites warning consumers of the risk, which gave us all the opportunity to monitor our accounts and replace our potentially compromised cards. That’s essentially all you can do: read the news, watch your account balance, and get new cards should the need arise.