Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Target Breach: 8 Facts On Memory-Scraping Malware

Target confirmed that malware compromised its point-of-sale systems. How does such malware work, and how can businesses prevent infections?

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(click image for larger view and for slideshow)

What is memory-scraping malware, and how can it be stopped?

Malware that attacks the RAM inside point-of-sale (POS) devices -- the fancy name for digital cash registers used by everyone from retailers and restaurants to hoteliers and hospitals -- leapt into the spotlight this week after it was tied to the recent breach of Target, and by extension, breaches involving Neiman Marcus and other as-yet-unnamed retailers.

"There was malware installed on our POS registers; that much we have established," Target chief executive Gregg Steinhafel said Sunday in an interview with CNBC, referring to a breach that began on November 28 and lasted until December 15. That breach resulted in up to 110 million people having their credit card information or personal details compromised. A related investigation remains underway.

In the wake of Target's admission, here's what businesses and their customers should know about RAM-scraping malware and how to stop it.

1. Memory-scraping malware isn't new. Memory-scraping attacks date from at least 2011, when security researchers first spotted an advanced version of the Trackr (a.k.a. Alina) malware, which can be controlled via a botnet. "One of the earliest serious POS RAM scraper attacks that we observed was back in November 2011 when we found that a university and several hotels had their PoS systems compromised," said Numaan Huq, a security researcher at SophosLabs Canada, in a July 2013 blog post. "Later we saw varied targets, including an auto dealership in Australia infected with Trackr."

Retailers aren't the only organizations vulnerable to having their POS systems targeted by memory-scraping malware. "Although retailers can be affected by these kinds of things, there have been food service companies, healthcare, hotels and tourism companies being targeted by RAM scraping in the past," said security researcher Graham Cluley, speaking by phone.

But the Target breach appears to set a new high in terms of the number of records that the attackers were able to successfully compromise. "Because of the scale of the Target breach, this is probably one of the biggest incidents, if not the biggest incident, that has occurred," Cluley said.

[For more on the expanding Target data breach, see Neiman Marcus, Target Data Breaches: 8 Facts.]

2. POS malware routes around encryption. Memory-scraping malware is typically designed to target Track 1 and Track 2 data -- including a cardholder's name, card number, expiration date, and the card's three-digit security code (a.k.a. CVV or CVC) -- at the place where it's most vulnerable to being intercepted: in memory, where it's in plaintext format.

"There is that opportunity to steal the credit card information when it is in memory, perhaps even before your payment has even been authorized, and the data hasn't even been written to the hard drive yet," said Cluley. "In some ways, it's understandable that the bad guys did this because the Payment Card Industry Data Security Standards -- PCI DSS -- tell retailers that if you write this [card] information to a hard disk or any other type of media it has to be strongly encrypted so nothing can grab it, and if you transmit it must be strongly encrypted, so nothing can intercept it in transit."

3. Security wrinkle: plaintext realities. Unfortunately, it's not feasible to encrypt data in POS system memory. "No matter how strong your encryption is, if the system needs to process data or process the code, everything needs to be decrypted in memory," explained Chris Elisan, principal malware scientist at security firm RSA, a division of EMC, speaking by phone.

Furthermore, RAM-scraping malware is purpose-built to act only when that information capture or decryption occurs. "Let's say it wants to steal credit card numbers," Elisan said. "The moment it sees new data being loaded into memory -- the moment it sees 16 characters with a zero or special character at the end, indicating that it's a card number -- it would just intercept that."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
1/16/2014 | 6:28:29 PM
Target Breach
I posted this against another article, but I think it's important enough to repeat here.

Before the hackers damage another retailer, let me suggest a way of preventing this happening again. The benefit of this solution, originall designed for internet purchasing, is that it saves the credit card companies from having to invest in expensive EMV cards and, as a side benefit, a lost or stolen card will be useless to the thief. Also, very little modification needs to be made to the POS terminal. Further, the customer never sends his credit card details to the retailer, and the retailer's transaction records contain no usable information.
1. Remove all data from the credit card and its magnetic stripe, except for a simple User ID and, perhaps, the expiry date.
2. The credit card company installs a fraudproof authentication system, as described in www.designsim.com.au/What_is_SteelPlatez.ppsx, in its data centre.
3. The customer and retailer have accounts on the authentication system.
4. When the customer needs to make a purchase, he logs in to the authentication system belonging to the appropriate credit card company, giving his user ID and the amount of the purchase.
5. The retailer also logs in to the system, giving his merchant number, or User ID, and the customer's User ID (taken from the POS in use)
6. The credit card company knows the user's card number, so if he's been authenticated, it checks for a match with the retailer's submission.
7. If there's a match, it performs the usual checks for limits, expiry etc, issues an approval, pays the retailer etc.
Simple
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
1/15/2014 | 7:30:13 PM
Re: Another reason...
 

Interesting concept. Paying with cash would make these POS machines obsolete however hackers would probably focus their efforts on financial institutions and hack you that way. I say that in jest as cards are not going away anytime soon but you make a good point.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/15/2014 | 7:11:53 AM
Re: Another reason...
Indeed. The convenience factor of using a debit/credit card would also be offset by having to carefully review one's statement online every 24-48 hours for signs of abuse.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
1/14/2014 | 8:18:24 PM
Another reason...
...to pay with cash. I wonder what the relative risk of being robbed is compared to the risk of being hacked.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...