With big international retailers from Target to Home Depot falling victim to attacks with increasing regularity, it's clear that having your financial information stolen and sold online is a less a matter of if, but when. You can only avoid using plastic for so long.
Partly to blame for this recent rash of attacks is a relatively new type of malware created to steal credit card data and other information from the computers you swipe your credit card through at restaurants, big box retailers and more. It relies on a technique called Point of Sale (PoS) RAM scraping, which exploits the tendency for many retail computers to store unencrypted credit card information in memory before it is transferred someplace more secure.
This is the same technique that was used last year to hack big box retailer Target, and more recently in the hack of Home Depot's US and Canadian stores.
A new report from security software company Trend Micro explored the rapidly growing market for PoS RAM scraping malware, which has proven especially popular amongst criminals this year.
According to Numaan Huq, a senior threat researcher with Trend Micro's Forward-Looking Threat Research Team, and author of the report, basic malware designed to scrape credit card data from a PoS system's RAM was first spotted in October 2008, but of the six new RAM scraping variants discovered in 2014, four were discovered between June and August alone.
PoS RAM scraping malware works something like this: First, an attacker will gain access to a point of sale system—either by remotely exploiting computer vulnerabilities, using phishing or social engineering techniques, abusing default passwords and lax security practices, or by having a person with privileged access on the inside. Then the machine is infected with malware designed to scrape credit card data from the source.
When a customer swipes his or her card, "All of the credit card data is temporarily stored in plain text in the RAM of merchants' PoS systems during processing," according to Huq. RAM scraping malware searches the computer's memory for markers that more or less say "Credit Card Data Here." Naturally, some malware is more effective at this than others, and more recent variants do much more.
What sort of data can be scraped from RAM? Huq explained that the magnetic stripe used in a typical debit or credit card has three tracks that can store data.
Credit and debit cards use track one and track two, while track three remains blank. These tracks store the card's primary account number, the cardholder's name, the expiry date, the brand of credit card or issue and other values that verify the legitimacy of a card.
Because all of this data is temporarily stored in PoS RAM, thieves are able to steal mostly-complete sets of card data without going through the trouble of rigging up a traditional card skimmer.
It's enough data for a criminal to create an almost perfect counterfeit card, but not all. What's missing from this data by design are the three or four digit verification numbers printed on the back of payment cards, which are typically used to verify "card not present" payments made online or over the phone. While the lack of such numbers does limit how cloned cards can be used, it's not a complete solution.
In theory, the Payment Card Industry (PCI) has a set of 12 major Data Security Standards (DSS) that are intended to reduce the likelihood of such breaches or hacks. The standards outline basic stuff such as installing firewalls, limiting physical access to payment systems, and changing default passwords and security systems. But it's up to merchants and vendors to make sure that these are actually enforced, and according to Huq, not everyone follows the rules.
As a result, PoS RAM scraping malware has been allowed to flourish, and Huq has watched the capability of these attacks improve in interesting ways. Some now have the ability to receive remote control and instructions (almost like a botnet of PoS machines) and have kill switch functionality to avoid detection.
One piece of software called Alina was described as being actively developed, with deployed instances of the software receiving regular remote updates, and can reinstall itself every time the system reboots.
Other tools, such as VSkimmer, have an easy-to-configure "builder interface" that makes it easy for an inexperienced attacker to generate a customized executable with ease. Another named Dexter will even install keyloggers and exfiltrate other information stored on the PoS system itself, while Soraya can capture all form data sent via a web browser.
PoS RAM scraping malware has been allowed to flourish
The most well known, however, is probably BlackPOS, which was used against US retailer Target between November 27 and December 15, 2003 to steal the payment card data of 70 million customers. Brian Krebs reported that an updated version of BlackPOS was also used in the Home Depot breach.
But perhaps most interesting is how the exfiltration of stolen data has evolved. Scraped data is typically written to a text file, sometimes validated offline to ensure that legit credit card data has been obtained, and then eventually exfiltrated from the machine, either by someone physically returning to the infected computer, or by sending the data remotely to a server or email address.
While the former was common in the earlier days of RAM scraping malware, according to Huq, the latter is now preferred. Some tools now encrypt exfiltrated data, too. One PoS scraper called ChewBacca even uses Tor to exfiltrate data.
Trend Micro's research paper is a good primer for anyone curious about how the payment process works when you buy something at retailers of different sizes, and how these attacks might evolve in the future.
Some have theorized that attacks similar to the one on Target will be rendered moot once US retailers move to chip-and-pin payment cards, for example, where track one and track two data is stored in a PIN-protected chip instead of a magnetic stripe.
But Huq points out that,even if it is harder to manufacture counterfeit chip-and-pin-cards, this data can still be scraped from memory too. Rather, it's up to retailers, as ever, to up their security game.