Attacks/Breaches
1/14/2014
01:05 PM
50%
50%

Target Breach: 8 Facts On Memory-Scraping Malware

Target confirmed that malware compromised its point-of-sale systems. How does such malware work, and how can businesses prevent infections?

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(click image for larger view and for slideshow)

What is memory-scraping malware, and how can it be stopped?

Malware that attacks the RAM inside point-of-sale (POS) devices -- the fancy name for digital cash registers used by everyone from retailers and restaurants to hoteliers and hospitals -- leapt into the spotlight this week after it was tied to the recent breach of Target, and by extension, breaches involving Neiman Marcus and other as-yet-unnamed retailers.

"There was malware installed on our POS registers; that much we have established," Target chief executive Gregg Steinhafel said Sunday in an interview with CNBC, referring to a breach that began on November 28 and lasted until December 15. That breach resulted in up to 110 million people having their credit card information or personal details compromised. A related investigation remains underway.

In the wake of Target's admission, here's what businesses and their customers should know about RAM-scraping malware and how to stop it.

1. Memory-scraping malware isn't new. Memory-scraping attacks date from at least 2011, when security researchers first spotted an advanced version of the Trackr (a.k.a. Alina) malware, which can be controlled via a botnet. "One of the earliest serious POS RAM scraper attacks that we observed was back in November 2011 when we found that a university and several hotels had their PoS systems compromised," said Numaan Huq, a security researcher at SophosLabs Canada, in a July 2013 blog post. "Later we saw varied targets, including an auto dealership in Australia infected with Trackr."

Retailers aren't the only organizations vulnerable to having their POS systems targeted by memory-scraping malware. "Although retailers can be affected by these kinds of things, there have been food service companies, healthcare, hotels and tourism companies being targeted by RAM scraping in the past," said security researcher Graham Cluley, speaking by phone.

But the Target breach appears to set a new high in terms of the number of records that the attackers were able to successfully compromise. "Because of the scale of the Target breach, this is probably one of the biggest incidents, if not the biggest incident, that has occurred," Cluley said.

[For more on the expanding Target data breach, see Neiman Marcus, Target Data Breaches: 8 Facts.]

2. POS malware routes around encryption. Memory-scraping malware is typically designed to target Track 1 and Track 2 data -- including a cardholder's name, card number, expiration date, and the card's three-digit security code (a.k.a. CVV or CVC) -- at the place where it's most vulnerable to being intercepted: in memory, where it's in plaintext format.

"There is that opportunity to steal the credit card information when it is in memory, perhaps even before your payment has even been authorized, and the data hasn't even been written to the hard drive yet," said Cluley. "In some ways, it's understandable that the bad guys did this because the Payment Card Industry Data Security Standards -- PCI DSS -- tell retailers that if you write this [card] information to a hard disk or any other type of media it has to be strongly encrypted so nothing can grab it, and if you transmit it must be strongly encrypted, so nothing can intercept it in transit."

3. Security wrinkle: plaintext realities. Unfortunately, it's not feasible to encrypt data in POS system memory. "No matter how strong your encryption is, if the system needs to process data or process the code, everything needs to be decrypted in memory," explained Chris Elisan, principal malware scientist at security firm RSA, a division of EMC, speaking by phone.

Furthermore, RAM-scraping malware is purpose-built to act only when that information capture or decryption occurs. "Let's say it wants to steal credit card numbers," Elisan said. "The moment it sees new data being loaded into memory -- the moment it sees 16 characters with a zero or special character at the end, indicating that it's a card number -- it would just intercept that."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarkSitkowski
50%
50%
MarkSitkowski,
User Rank: Moderator
1/16/2014 | 6:28:29 PM
Target Breach
I posted this against another article, but I think it's important enough to repeat here.

Before the hackers damage another retailer, let me suggest a way of preventing this happening again. The benefit of this solution, originall designed for internet purchasing, is that it saves the credit card companies from having to invest in expensive EMV cards and, as a side benefit, a lost or stolen card will be useless to the thief. Also, very little modification needs to be made to the POS terminal. Further, the customer never sends his credit card details to the retailer, and the retailer's transaction records contain no usable information.
1. Remove all data from the credit card and its magnetic stripe, except for a simple User ID and, perhaps, the expiry date.
2. The credit card company installs a fraudproof authentication system, as described in www.designsim.com.au/What_is_SteelPlatez.ppsx, in its data centre.
3. The customer and retailer have accounts on the authentication system.
4. When the customer needs to make a purchase, he logs in to the authentication system belonging to the appropriate credit card company, giving his user ID and the amount of the purchase.
5. The retailer also logs in to the system, giving his merchant number, or User ID, and the customer's User ID (taken from the POS in use)
6. The credit card company knows the user's card number, so if he's been authenticated, it checks for a match with the retailer's submission.
7. If there's a match, it performs the usual checks for limits, expiry etc, issues an approval, pays the retailer etc.
Simple
PaulS681
50%
50%
PaulS681,
User Rank: Apprentice
1/15/2014 | 7:30:13 PM
Re: Another reason...
 

Interesting concept. Paying with cash would make these POS machines obsolete however hackers would probably focus their efforts on financial institutions and hack you that way. I say that in jest as cards are not going away anytime soon but you make a good point.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/15/2014 | 7:11:53 AM
Re: Another reason...
Indeed. The convenience factor of using a debit/credit card would also be offset by having to carefully review one's statement online every 24-48 hours for signs of abuse.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
1/14/2014 | 8:18:24 PM
Another reason...
...to pay with cash. I wonder what the relative risk of being robbed is compared to the risk of being hacked.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?