The retail and hospitality industries have a painful history with wonky point-of-sale systems and malware known as RAM scrapers. These attacks, which date back as many as six years, are designed to be injected into running processes and steal payment card data before it’s encrypted by a point-of-sale system and the Windows backend servers that manage them.
If the attackers behind the Target and Neiman Marcus breaches, as has been reported, used RAM scrapers as one means of pilfering payment card and personal data on up to 110 million individuals, then be prepared to have RAM scrapers elevated to a whole new realm of awareness and concern.
A Reuters report over the weekend cited sources who said the hackers used memory-parsing software such as a RAM scraper to find and steal data in the format of a card number before it is encrypted on the point-of-sale device. The report also warned that at least three more breaches at large retailers have yet been reported and could be similarly tied to the Target and Neiman Marcus break-ins, which are quickly becoming among the largest in U.S. history.
It’s unlikely, however, that this was the only tool at the hackers’ disposal, despite an admission yesterday from Target CEO Gregg Steinhafel that malware was found on the retailer’s point of sale systems during a forensic investigation.
“Assuming 100 credit cards per day per terminal and eight terminals per store, that’s 800 cards per day per store. They would have had to compromise 1,666 stores to reach the 40 million number over 30 days,” said crypto expert Nate Lawson, founder of Root Labs, a security consultancy in Oakland. “I don’t know Target’s sales volume, but it seems unlikely that an attacker could get this many card numbers purely through RAM scraping.”
Attacks on point-of-sale systems have been a major threat highlighted in the annual Verizon Data Breach Investigations Report (DBIR), generally because smaller retail organizations are not well resourced to address security properly. Larger organizations such as Target and Neiman Marcus, which are supposed to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS), are another story. The standard requires certain safeguards for point-of-sale systems in addition to mandating how card data is encrypted in transit and storage.
“Credit card data is highly sensitive, so as quickly as possible it needs to be read and encrypted. In order to get in front of the process that secures this data, a memory scraper will look at the process memory on a point of sales device and attempt to carve out the credit card track data from the program that reads it from the magnetic swipe,” said Adam Myers, VP of Intelligence at CrowdStrike. “This allows an attacker to get the information from the POS before it is scrambled.”
Looking specifically at the Target breach where it’s been reported that not only 40 million payment cards were stolen, but also personal information on 70 million individuals, it’s likely the attackers were on Target’s network for some time and had a pretty broad reach.
“To get scale, obviously you need to install it on many different point-of-sale terminals. So given the size of the Target breach, if that was the primary method the attackers used, they would have had some access to Target’s corporate network to install it on all these different terminals,” said Lawson. “The Target breach is so huge, either the attackers used some kind of bulk method like access to Target’s servers or somewhere else where the credit card data is being stored, or they had broad access to a large number of their point of sale terminals for an ongoing basis.”
Given that point-of-sale systems are generally managed by Windows systems that must be patched, updated and properly configured, an attacker who found a soft spot there could steal credentials and move laterally on a network.
“If the attacker compromises the credentials used to manage these systems, it is easy to push a small piece of code out to every device and scrape the memory for credit card data,” Myers said.
RAM scrapers are generally injected into running processes and can intercept sensitive data from memory in an instant before it is encrypted. As described in the Verizon DBIR, attackers have had great success finding remote desktop management software exposed online with default or weak credentials to gain access to the backend Windows server. For larger organizations, an attacker could use a phishing email to break through an initial line of defense by either stealing credentials or tricking the victim into installing malware on their machines.
“There are a few groups (five or fewer) of financial criminals that spend a lot of time, energy, and talent going after larger payouts. These groups tend to go after web server vulnerabilities to initially get into the victim’s network,” said Lucas Zaichkowsky, Enterprise Defense Architect at AccessData. “It could be a web server that has nothing to do with taking orders such as the server hosting the company blog. From there, they’ll steal internal user accounts and move from system to system in a relay fashion using built in system commands to get into the POS environment where they can then steal credit card data. One of these groups is most likely responsible for the Target breach.”
Zaichkowsky said he first encountered RAM scraper malware in 2008 investigating a breach at a small restaurant chain. Early attacks used memory dumping software meant for debugging, he said.
“They would call on the memory dumping software every several seconds to create a memory dump file, then run a search through the file to copy out credit card magstripe data. This method was very resource intensive though,” Zaichkowsky said. “Some merchants would notice their system running slowly. Their POS dealer would take a look, see the rogue process hogging resources, and remove the software. The tools eventually evolved into custom made software that did it in a more efficient manner so as not to tip off the victims.”
Getting in is one thing, quietly moving that volume of data out is quite another.
“Think about the size of that data. You’ve got a few gigabytes of data and credit card numbers that someone is transmitting and Target didn’t detect it,” Lawson said. “That’s a pretty large volume of data, especially if it was a single transfer. It’s more likely that it was happening on an ongoing basis. Their network traffic behaviors were likely anomalous.”