RAM scraping for credit card data

On Thursday last week, Sears made an SEC filing disclosing an attack on Kmart customers’ credit card data. Kmart joins a growing number of high-profile brands attacked recently – Target, Supervalu, Neiman Marcus and Home Depot. RAM scraping is the technique used in all of these attacks. The fallout is generally calamitous – for example, Target’s profit decreased by 46% and they are to spend $100m upgrading their payment terminals (which still may not solve the RAM scraping problem). This year alone, these attacks have resulted in the data theft of well over 100 million credit cards.

RAM scraping is like mind reading. The malware hooks into the payment card processing application and reads the memory associated with its process, looking for data which matches credit card format. It is the current weapon of choice for cyber attack on retail and hospitality organisations.

Memory-parsing or RAM scraping first arose as the attack vector on Point of Sale devices when Visa alerted of the threat back in 2008. Examples of Ram scraping malware include Dexter, Soraya, ChewBacca, BlackPOS, BrutPOS, Backoff, Decebal, and JackPOS. When criminals gain access to the target’s network (often through a spear phishing attack), they are able to install RAM scraping malware remotely and mass distribute it to PoS end points within the network.

The capabilities of RAM scraping malware include:
– Detection avoidance. Like a fugitive running along a riverbed, RAM scraping malware covers its tracks using random filenames, and uninstalls to remove traces of the attack.
– Exfiltration of data to remote servers using protocols such as FTP or HTTP. The Chewbacca RAM scraper uses Tor for exfiltration to avoid detection of the server location.
– Encryption of the data before exfiltration.
– Ability to receive commands from a bot C&C server.
– Some RAM scrapers also have key stroke logging capability.

The definitive guide to the workings of RAM scrapers is this Trend Micro paper.

Relying upon signature-based detection technology such as that contained in conventional anti-virus is clearly ineffective protection against this threat. In all of the retail chains attacked this year, AV was present but failed to protect. The RAM scraping malware on Kmart’s PoS devices operated undetected since the beginning of September. How many other organisations currently have RAM scraping malware extracting credit card data from their PoS devices that they are oblivious about? PCI-DSS compliance which specifies the end-to-end encryption of data offers little comfort as RAM scrapers are able to harvest the data in the instant before it is encrypted, while it exists in memory in plaintext.

Retail chains should seriously consider taking their PoS device protection to the next level. Credit card data needs to be protected even if malware is present on the device. SentryBay’s technology of protecting data from the moment it is entered at the keyboard, obfuscating the data directly at the kernel, can be utilised to ensure that RAM scrapers are blocked from accessing sensitive data in a retail environment. Credit card data also needs protection from the moment of the card swipe. Until advanced protection mechanisms such as this are implemented there will be an increasing flow of well-known brands experiencing this pernicious attack, filing ignominious SEC breach reports, and enduring the PR nightmare and loss of profits, which follows.

2 thoughts on “RAM scraping for credit card data

  1. Brent Agar October 13, 2014 at 11:51 am Reply

    Dave,

    This was an alert provide by HomeLand Security. Good reference for description of memory scanning

    https://www.us-cert.gov/ncas/alerts/TA14-002A

    Rgds

    Brent

  2. jfrancisclarke October 21, 2014 at 12:17 pm Reply

    As a beginning information security student I thoroughly enjoyed this post. Your post emphasizes the need for stronger and more robust retail security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: