The POS Malware Epidemic: The Most Dangerous Vulnerabilities and Malware

Point-of-sale (POS) malware is an information security ailment that, within less than seven years, reached colossal proportions and became more damaging to organizations than almost any other threat. Although this threat is less sophisticated than malware like banking Trojans, it can be hugely destructive due to the following:

It directly affects many of a brand’s customers.

It becomes public immediately after being discovered, usually by someone outside the victim organization.

Its collateral damage involves customers, issuers, card associations and the victim’s own service providers (insurance, anyone?).

I would have collected some information about how much these card breaches cost the victim organizations, but after we all witnessed the Target breach — its detrimental financial results in both hard and soft costs, its damage to the brand and its executive team and the never-ending legal mess it is still struggling to resolve — I think we all get the point.

What Target was a victim of, as well as many other retailers and card processors that suffered a POS malware attack experienced, is the work of cybercriminals and organized cyber gangs who went after card data from customer transactions. The end goal is to rob the data and then use the card information in fraudulent purchases.

POS malware is actually a generic name for a growing number of Trojan families that are designed to scrape point-of-sale terminals’ RAM memory. It is designed to look for, grab and exfiltrate credit and debit card data from the endpoints that process and store it.

The notion of stealing payment card and PIN data is not new. Criminals always found card data to be highly lucrative and still use a number of real-world crimes to skim data in ATMs and card readers. They also try to compromise POS equipment installed at brick-and-mortar retailers to have the data stolen and streamed to them. Some criminals attempted sniffing data sent over Wi-Fi to back-of-the-house servers, but at the end of the day, all those physical crime scenarios demand deeper knowledge to tamper with the equipment and typically involve an insider.

You can easily infer that using POS malware is lucrative because it is considered a much safer and simpler way for cybercriminals to get their hands on large numbers of live payment cards without ever showing their face on security cameras.

What Does POS Malware Do?

Interestingly enough, POS Trojans all essentially work in the same way. They are called RAM scrapers because they aim to scan certain parts of POS terminal memory, find card data in there and send it to their botmaster.

Once a card transaction goes through on the POS terminal side, the card’s data is almost instantly stored on the endpoints the retailer has in place. In most cases the data is encrypted, which is also a compliance requirement for merchants. But while encryption is supposed to fully protect the data, there is a split second in which it is still unencrypted as it waits for authorization to complete, saved in process memory.

That split second is the tiny window of opportunity POS Trojans use to attack. They scan the RAM looking for card data and then scrape it from there, hence the name “RAM scrapers.”

On the technical level, POS RAM scrapers retrieve a list of running processes on the endpoint that handles the data, they load inspect each process’s memory and then they look for card data to grab from it. How did they figure out that they should attack on the RAM level? Well, most application vendors do not encrypt data in memory and for years have considered RAM to be safe. But today, RAM scrapers are generally injected into running processes and can intercept sensitive data from memory in an instant.

The malware scrapes the track-one and track-two card data encoded into the magnetic stripe. This data is valuable because it includes the card holder’s name, primary card number and security code, as well as other information about charge types permitted and some user details. Once they have the data, the Trojan is configured to send it out on a predetermined time, intending to appear as inconspicuous as possible, or it can be exfiltrated by the criminals on demand. Past attacks have shown that the cybercriminals favor sending the data to an intermediate location first and then collect it from there. This process is most likely part of their way to conceal themselves from a potential law enforcement investigation. This method was used in the Target breach, but it is also used by more recent POS malware operations, in some cases even sending the data to a number of places at the same time.

Sitting stealthily on POS terminals or the servers that store the transaction data, these Trojans can amass large numbers of cards and transmit them onward to the attackers and, unless detected, cause more damage with every passing hour.

Read this story here