Target Breach: 8 Facts On Memory-Scraping Malware
9 Notorious Hackers Of 2013
(click image for larger view and for slideshow)What is memory-scraping malware, and how can it be stopped?
Malware that attacks the RAM inside point-of-sale (POS) devices -- the fancy name for digital cash registers used by everyone from retailers and restaurants to hoteliers and hospitals -- leapt into the spotlight this week after it was tied to the recent breach of Target, and by extension, breaches involving Neiman Marcus and other as-yet-unnamed retailers.
"There was malware installed on our POS registers; that much we have established," Target chief executive Gregg Steinhafel said Sunday in an interview with CNBC, referring to a breach that began on November 28 and lasted until December 15. That breach resulted in up to 110 million people having their credit card information or personal details compromised. A related investigation remains underway.
In the wake of Target's admission, here's what businesses and their customers should know about RAM-scraping malware and how to stop it.
1. Memory-scraping malware isn't new. Memory-scraping attacks date from at least 2011, when security researchers first spotted an advanced version of the Trackr (a.k.a. Alina) malware, which can be controlled via a botnet. "One of the earliest serious POS RAM scraper attacks that we observed was back in November 2011 when we found that a university and several hotels had their PoS systems compromised," said Numaan Huq, a security researcher at SophosLabs Canada, in a July 2013 blog post. "Later we saw varied targets, including an auto dealership in Australia infected with Trackr."
Retailers aren't the only organizations vulnerable to having their POS systems targeted by memory-scraping malware. "Although retailers can be affected by these kinds of things, there have been food service companies, healthcare, hotels and tourism companies being targeted by RAM scraping in the past," said security researcher Graham Cluley, speaking by phone.
But the Target breach appears to set a new high in terms of the number of records that the attackers were able to successfully compromise. "Because of the scale of the Target breach, this is probably one of the biggest incidents, if not the biggest incident, that has occurred," Cluley said.
[For more on the expanding Target data breach, see Neiman Marcus, Target Data Breaches: 8 Facts.]
2. POS malware routes around encryption. Memory-scraping malware is typically designed to target Track 1 and Track 2 data -- including a cardholder's name, card number, expiration date, and the card's three-digit security code (a.k.a. CVV or CVC) -- at the place where it's most vulnerable to being intercepted: in memory, where it's in plaintext format.
"There is that opportunity to steal the credit card information when it is in memory, perhaps even before your payment has even been authorized, and the data hasn't even been written to the hard drive yet," said Cluley. "In some ways, it's understandable that the bad guys did this because the Payment Card Industry Data Security Standards -- PCI DSS -- tell retailers that if you write this [card] information to a hard disk or any other type of media it has to be strongly encrypted so nothing can grab it, and if you transmit it must be strongly encrypted, so nothing can intercept it in transit."
3. Security wrinkle: plaintext realities. Unfortunately, it's not feasible to encrypt data in POS system memory. "No matter how strong your encryption is, if the system needs to process data or process the code, everything needs to be decrypted in memory," explained Chris Elisan, principal malware scientist at security firm RSA, a division of EMC, speaking by phone.
Furthermore, RAM-scraping malware is purpose-built to act only when that information capture or decryption occurs. "Let's say it wants to steal credit card numbers," Elisan said. "The moment it sees new data being loaded into memory -- the moment it sees 16 characters with a zero or special character at the end, indicating that it's a card number -- it would just intercept that."
1 of 2
Comment |
Print |
More Insights
Comments
Oldest First | Newest First | Threaded View
Another reason...
...to pay with cash. I wonder what the relative risk of being robbed is compared to the risk of being hacked.
Re: Another reason...
Indeed. The convenience factor of using a debit/credit card would also be offset by having to carefully review one's statement online every 24-48 hours for signs of abuse.
Re: Another reason...
Interesting concept. Paying with cash would make these POS machines obsolete however hackers would probably focus their efforts on financial institutions and hack you that way. I say that in jest as cards are not going away anytime soon but you make a good point.
Interesting concept. Paying with cash would make these POS machines obsolete however hackers would probably focus their efforts on financial institutions and hack you that way. I say that in jest as cards are not going away anytime soon but you make a good point.
Target Breach
I posted this against another article, but I think it's important enough to repeat here.
Before the hackers damage another retailer, let me suggest a way of preventing this happening again. The benefit of this solution, originall designed for internet purchasing, is that it saves the credit card companies from having to invest in expensive EMV cards and, as a side benefit, a lost or stolen card will be useless to the thief. Also, very little modification needs to be made to the POS terminal. Further, the customer never sends his credit card details to the retailer, and the retailer's transaction records contain no usable information.
1. Remove all data from the credit card and its magnetic stripe, except for a simple User ID and, perhaps, the expiry date.
2. The credit card company installs a fraudproof authentication system, as described in www.designsim.com.au/What_is_SteelPlatez.ppsx, in its data centre.
3. The customer and retailer have accounts on the authentication system.
4. When the customer needs to make a purchase, he logs in to the authentication system belonging to the appropriate credit card company, giving his user ID and the amount of the purchase.
5. The retailer also logs in to the system, giving his merchant number, or User ID, and the customer's User ID (taken from the POS in use)
6. The credit card company knows the user's card number, so if he's been authenticated, it checks for a match with the retailer's submission.
7. If there's a match, it performs the usual checks for limits, expiry etc, issues an approval, pays the retailer etc.
Simple
Before the hackers damage another retailer, let me suggest a way of preventing this happening again. The benefit of this solution, originall designed for internet purchasing, is that it saves the credit card companies from having to invest in expensive EMV cards and, as a side benefit, a lost or stolen card will be useless to the thief. Also, very little modification needs to be made to the POS terminal. Further, the customer never sends his credit card details to the retailer, and the retailer's transaction records contain no usable information.
1. Remove all data from the credit card and its magnetic stripe, except for a simple User ID and, perhaps, the expiry date.
2. The credit card company installs a fraudproof authentication system, as described in www.designsim.com.au/What_is_SteelPlatez.ppsx, in its data centre.
3. The customer and retailer have accounts on the authentication system.
4. When the customer needs to make a purchase, he logs in to the authentication system belonging to the appropriate credit card company, giving his user ID and the amount of the purchase.
5. The retailer also logs in to the system, giving his merchant number, or User ID, and the customer's User ID (taken from the POS in use)
6. The credit card company knows the user's card number, so if he's been authenticated, it checks for a match with the retailer's submission.
7. If there's a match, it performs the usual checks for limits, expiry etc, issues an approval, pays the retailer etc.
Simple
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
1 Comments
Slideshows
Twitter Feed
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1375
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.
CVE-2015-1376pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.
CVE-2015-1419pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.
Published: 2015-01-28
Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.
CVE-2014-5211Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.
Published: 2015-01-27
Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.
CVE-2014-8154Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.
Published: 2015-01-27
The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overf...
The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overf...
Due to hack, Sony requests financial filing extensionMarriott Customers’ Personal Details Exposed by Simple Web FlawHow Do We De-Criminalize Security Research? AKA What’s Next for the CFAA?Highly critical “Ghost” allowing code execution affects most Linux systemsSomeone just hijacked Taylor Swift's Twitter and Instagram accounts
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.
- Featured UBM Tech Sites
- InformationWeek |
- Network Computing |
- Dr. Dobbs |
- Dark Reading
- Our Markets:
- Business Technology |
- Electronics |
- Game & App Development
- Working With Us:
- Advertising Contacts |
- Event Calendar |
- Tech Marketing Solutions |
- Corporate Site |
- Contact Us / Feedback
Tweet This