With this year’s dramatic uptick in data breaches targeting retailers and restaurant chains and, more specifically, the payment card data they process every day, it’s safe to say that, for the moment, cyber crooks feel like they have found the goose that lays golden eggs.
Target, PF Chang’s, Home Depot, and likely a host of smaller retailers have been hit by hackers who might or might not be part of the same group, but these breaches all have one thing in common: the attackers used PoS RAM scraping malware to collect the card data while it’s still in unencrypted form.
The rise of POS RAM scrapers in the form we see today started in late 2011, when the Rdasrv malware became a good alternative to the previously used debugging tools that dumped Tracks 1 and 2 credit card data from RAM.
Only a year later, three new and different POS RAM scrapers have surfaced. In 2014, as many as six new scrapers have been detected: JackPOS, Decebel, Soraya, BrutPOS, Backoff, and a new and more effective version of BlackPOS.
Their main goals are to collect the data and exfiltrate it to a place where attackers can collect it, and they manage to do that and fly under the companies’ radar by employing a number of techniques and features: multiple components; networking, bot and kill switch functionalities; multiple exfiltration techniques; encryption. The fact that there are development kits out there that allow anyone to create customized binaries to breach victims’ systems is another success factor.
Numaan Huq, a senior threat researcher at Trend Micro, has recently finished an extensive report about PoS RAM scrapers, in which he noted the past, delved into the present, and made an educated guess about the future of this particular type of malware.
This report should be must-read for anyone who is tasked with protecting POS systems, as it also explains the infection methods often used by cyber crooks to spread this type of malware, and gives a good overview of new credit card technologies and changes in the payment processing ecosystem, as well as new developments in cyber crooks’ approach.
Finally, Huq also offers a number of concrete tips – hardware, software and policy based – that should drastically reduce the attack surface and risks any company that deals with customers’ payment cards currently faces.