Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Numaan Huq (Senior Threat Researcher)

    Stealing payment card data has become an everyday crime that yields quick monetary gains. Attackers aim to steal the data stored in the magnetic stripe of payment cards, optionally clone the cards, and run charges on the accounts associated with them. The topic of PoS RAM scraper malware always prompts businesses and retailers to ask two important questions: “How do I protect myself?” and “What new technologies are vendors introducing to protect businesses and consumers?

    This blog entry seeks to answer these questions by discussing a PoS Defense Model and new technologies that can protect businesses and consumers from PoS RAM attacks.

    PoS Defense Model

    Based on our analysis of the PoS RAM scraper attack chain and PCI-DSS and PA-DSS requirements, we have created a multi-tiered PoS Defense Model that businesses and retailers can implement to defend against PoS RAM scraper malware attacks.

    Figure 1. Multi-tiered PoS Defense Model

    The four layers of the PoS Defense Model are:

    1. Infection Layer – this is the first and most important line of defense against PoS RAM scrapers as it aims to prevent initial infection, or block the malware’s execution before it causes damage.
    2. Lateral Movement Layer – if the infection layer fails to stop the malware, then the next layer of defense aims to identify suspicious or malicious behavior when the malware attempts to spread and blocks it.
    3. Data Collection Layer – PoS RAM scraper attacks might involve other information stealing components that sniff network traffic and keylogs, and steal sensitive files. This layer of defense aims to prevent data theft.
    4. C&C and Data Exfiltration Layer – the stolen credit card data is only valuable after it has been exfiltrated from the victim machine. The final layer of defense aims to prevent the malware from communicating with the C&C servers and prevent exfiltration of stolen data.

    We have identified 26 defensive technologies and strategies that businesses and retailers can implement in their environments to defend against PoS RAM scraper attacks. The following Venn diagram shows these defensive technologies and strategies placed within the PoS Defense Model.

    Figure 2. Defensive technologies and strategies (click on the image to embiggen)

    Next Generation Payment Technologies

    The new reality is that any Internet-connected device that processes payment card data should be viewed as a data theft target. Buyer security rests on the shoulders of several key players – device manufacturers, service providers, businesses, banks, and even credit card brands. Strong IT defense goes a long way in preventing PoS system breaches but it is not a magic bullet. New secure payment technologies must also be deployed alongside strong IT defenses to protect against PoS RAM scrapers. Two technologies that are being widely deployed are:

    EMV or Chip-and-PIN cards

    Figure 3. Encrypted data stored in chip (outlined in red)

    EuroPay, MasterCard, and Visa (EMV) is the global standard for Integrated Circuit Cards (ICC). EMV cards store encrypted Tracks 1 and 2 data on a chip in the card. This chip stores a cryptogram that allows banks to determine if cards or transactions have been modified. It also stores a counter that gets incremented with each transaction. Duplicate or skipped counter values indicate potential fraudulent activities. The EMV cards interact with PoS terminals that have ICC readers and use the EMV-defined protocol for transactions. Similar to debit cards, cardholders need to input a PIN for authentication before the transaction is processed.

    Encryption plus Tokenization

    PoS RAM scrapers will have nothing to steal if credit card Tracks 1 and 2 data are not present in the PoS system’s RAM. This is the underlying principle behind the new payment processing architectures being developed and deployed today. One implementation uses tokenization, a process that replaces a high-value credential such as a credit card with a surrogate value that is used in transactions in place of the high-value credential, and encryption.

    Figure 4. Process flow for Encryption and Tokenization

    The workflow is as follows:

    1. Customer swipes their credit card at the merchant’s PoS terminal to complete the purchase.
    2. The PoS terminal reads and encrypts the credit card data and transmits it to the Payment Service Provider (PSP) for processing.
    3. The PSP forwards the credit card data to the banks (acquirers & issuers) for authorization.
    4. The PSP uses a tokenization algorithm to replace the actual credit card data with a token.
    5. The generated token and bank authorization status is send back to the merchant’s PoS system.
    6. The merchant’s PoS system stores the token instead of the actual credit card data in all places.

    The Future for PoS RAM Scraper Attacks

    As PoS RAM scrapers become more prominent threats, big businesses will heavily invest in cybersecurity to prevent attacks against their PoS environments. Attackers will thus refocus on SMBs, as these may not necessarily have the cybersecurity budgets that enterprises have to prevent PoS system breaches. We expect to see more SMBs get compromised, which will collectively be a bigger breach than compromising a few enterprises.

    Rollout of new security measures will significantly change the PoS playing field for attackers. As businesses upgrade to new secure payment systems, attackers will attempt to come up with new strategies against improved systems and environments.

    For an in-depth analysis about protecting your business against the threat of PoS RAM Scraper malware, please read the Trend Micro paper, Defending Against PoS RAM Scrapers – Current and Next-Generation Technologies.

    Posted in Malware | 1 TrackBack »

    2014 became the year that placed PoS (point-of-sale) threats in the spotlight. Make no mistake—PoS threats have existed for years. However, the Target data breach last January was the first incident that made the general public notice this threat.

    2014: the Year of PoS Malware

    While the Target breach may have been the first PoS-related incident of 2014, it soon became clear that it wouldn’t be the last. By the end of the third quarter of the year, six new variants of PoS RAM scraper malware were found—the same number of variants found between 2011 to 2013.

    What makes this development more interesting is that these new variants either borrowed the functionality of their predecessors or are direct evolutions of older PoS RAM scraper families.  For example, Backoff is a predecessor of Alina. Backoff was reported to have been used in attacks aimed at Dairy Queen and United Parcel Service (UPS).

    This is not to say that these were the only variants that were active in 2014. The much publicized breach experienced by Home Depot was linked to a known PoS family called BlackPoS—the same malware family used in the Target data breach. PoS malware was also spotted right before Thanksgiving weekend in the US—the weekend known for holiday shopping. Another PoS malware, called LusyPoS, was seen in Russian underground forums.

    PoS-related Activities in the Underground

    Due to the growing popularity of PoS RAM scrapers as a tool for quick monetary gain, development kits promptly started surfacing in the cybercriminal underground. One such tool is VSkimmer, a builder tool for PoS RAM scrapers that emerged in 2013.

    After stealing credit card data via RAM scrapers, most scammer then proceed to sell the stolen credit cards in batches in forums. Transactions are completed using Bitcoins, Western Union, MoneyGram, Ukash, and WebMoney, among others, as these offer convenience and anonymity to both buyers and sellers.

    Much like legitimate businesses, supply and demand affects the underground heavily. Different card brands have different unit prices in the underground carder marketplace based on availability and demand. Buying credit card data in bulk reduces the unit price, in some cases by up to 66%.

    One curious discovery is that the unit price of Discover and American Express (AMEX) cards is higher than the unit price of Visa and MasterCard cards. This is because AMEX and Discover card data are harder to come by compared to the commonly found Visa and MasterCard card data; rarer data costs more. Unfortunately, there is no definite reason why AMEX and Discover card data is seen as more lucrative than Visa and MasterCard card data.

    Expanded Targets

    The expansion of PoS-related activities in 2014 also saw the expansion of targets. Scammers have already ventured outside the shopping mall to hit newer targets like airports, metro stations, and parking lots.

    Researchers from security firm Census presented data about PoS attacks targeting travelers at airports. Census extends the definition of PoS in airports to include check-in kiosks, Wi-Fi credit kiosks, luggage locator kiosks, etc. The researchers were able to craft a simple attack that allowed them to scrape passenger information from these kiosks. Security firm IntelCrawler talked about a PoS malware called “d4re|dev1|” (daredevil), which was targeting Mass Transit System (MTS) locations. The malware had remote administration, remote updating, RAM scraping, and keylogging functionalities.

    Parking lots/garages became a popular target for scammers to steal payment information. A U.S. parking facility service provider suffered from a compromise of their payment processing systems in 17 parking facilities. Another parking service, Park ‘N Fly, also suffered a data breach that saw stolen information used in schemes involving fraud. Another service,, was the victim of the cybercrime gang behind the Target and Home Depot breaches.

    The Future of PoS Attacks

    So what does the future hold for PoS attacks?

    With PoS RAM Scrapers becoming prominent threats, big businesses will be investing heavily into cybersecurity to prevent targeted attacks of this type. Cybercriminals will thus refocus on SMBs (small-medium businesses) as these may not necessarily have the cybersecurity budgets enterprises have to prevent PoS breaches. We will see a high volume of SMBs get compromised and collectively that might account for a bigger breach than compromising Enterprises.

    Implementation of new measures like the new Europay, Mastercard and Visa (EMV) standards and the PCI DSS v3.0 compliance standards will significantly change the PoS playing field for cybercriminals. These two measures will come into full effect by October 2015— expect to see a decline in PoS data breaches as the cybercriminals attempt to figure out new efficient hacks into the upgraded systems and environments. It might take them a couple of months, possibly well into mid-2016, before they can start fully breaching the PoS environments again.

    Given all of the above, cybercriminals are sure to find new methods for data breaches via third-party vendors who have access to enterprise/corporate networks. These will remain the weakest link in the chain and the ones which will be exploited the most as they will not have the same level of security as enterprises.

    There has been a lot of law enforcement agency focus on investigating these data breaches but so far, no big arrests have been made. Some of these agencies will be closing investigations and making arrests that will make headlines.

    Posted in Malware | Comments Off on Looking Back (and Forward) at PoS Malware

    The celebration of Thanksgiving and Black Friday last week marks the start of the holiday shopping season for majority of the world. For most, this means vacations, family, friends, traveling, and of course, shopping. This is also the time for watching feel-good holiday movie reruns on television. One of my favorite movies is a Steve Martin comedy from the ‘80s called “Planes, Trains & Automobiles.” This blog post is not about that movie but it does borrow heavily from its title.

    PoS Malware, Now Mainstream

    It should be remembered that it was around this time last year that U.S. retailer Target suffered one of the largest data breaches in history in a targeted attack that used the BlackPOS malware. Since the start of this year, point-of-sale or PoS malware have become mainstream and attacked merchants both big and small. 2014 is also the year when we saw PoS malware mature as a threat. New PoS threats have emerged in time for this year’s holiday shopping season and we even managed to get a peek inside a PoS scammer’s toolbox.

    PoS malware have been mostly constrained to retailers and merchants, but it now looks like PoS malware have branched out from shopping malls to airports, metro stations, and parking lots.


    Researchers from security firm Census presented an interesting paper about point-of-sale attacks targeting travelers at DEFCON2014 last August. Census extends the definition of PoS in airports to include check-in kiosks, Wi-Fi credit kiosks, luggage locator kiosks, etc. Their investigations were carried out inside an airport in Greece. They targeted a centrally located kiosk in the terminal’s public space. The kiosk supported functionality for passengers to purchase Wi-Fi credits, make VoIP calls, and scan their tickets to check flight times. They found the kiosk had Internet connectivity, exposed USB ports, poor keyboard input sanitization, no installed antivirus software, and administrator privileges.

    The researchers created custom malware and infected the kiosk using a simple web attack. Airlines use the Bar Coded Boarding Pass (BCBP) on tickets, which contain passenger information; BCBP specifications can be found using a simple Google search. The scanned BCBP data—either printed ticket or QR code on mobile phones—is decoded in the kiosk’s RAM. Knowing the BCBP format allowed the researchers to scrape the data from the kiosk’s RAM using the same techniques PoS RAM Scrapers use to steal payment card data. Their experiments demonstrate an attacker could easily infect the kiosks with payment card data stealing PoS malware.


    Security firm IntelCrawler recently blogged about a PoS malware called “d4re|dev1|” (daredevil), which was targeting Mass Transit System (MTS) locations. The malware had remote administration, remote updating, RAM scraping, and keylogging functionalities. IntelCrawler displayed a picture of a compromised ARST ticket-vending kiosk in Sardinia, Italy. The attackers gained access into the ticket-vending kiosk using Virtual Network Computing (VNC). Customers purchase bus and train tickets from these ticket-vending kiosks, making them lucrative targets for harvesting payment card data. One of the recently discovered PoS RAM scraper families, NewPosThings, attempts to harvest VNC passwords from compromised systems. Other PoS RAM scrapers like BrutPOS and Backoff use Remote Desktop Protocol (RDP) to access the compromised systems.


    News came out last week on Friday that a professional parking facility service provider suffered from a compromise of their payment processing systems in 17 parking facilities in the US. A third-party vendor maintains the parking facility’s payment card systems. The attacker used the third-party vendor’s Remote Access Tool (RA) to gain access to the payment processing systems. The attacker then installed malware that harvested the payment card data collected at the parking facilities. The third-party vendor was not using two-factor authentication for remote access, which made it easier for the attacker to gain entry and exploit the systems. The company’s parking facilities were infected in Chicago, Cleveland, Evanston, Philadelphia, and Seattle—basically, a coast-to-coast infection.

    New Targets

    From these three cases, we can make the following observations:

    • The cybercriminals are incorporating remote administration functionalities in the PoS malware. This is because the RAT + RDP/VNC functionality allows them entry into payment/e-services kiosks.
    • Any Internet-connected device that processes payment card data should be viewed as a target, regardless of its location. Users should never assume that e-service kiosks in airports, train stations, or even parking lots have the same or right level of security as in other kiosks.
    • In a connected world, security policies need to transcend borders. The responsibility of security rests on several key players: the device manufacturer, the service providers/vendors, and even the banks and credit card brands–all to protect consumers.

    Additional information and appropriate solutions for PoS malware can be found in our paper, “PoS RAM Scraper Malware: Past, Present, and Future.”

    Update as of December 17, 2014, 12:08 PM PST

    Reports say that a data breach recently hit another parking service or some component of its online card processing system. The Atlanta-based offsite airport parking service, Park ‘N Fly, allows customers to reserve parking spaces slots via an online reservation system. According to Park ‘N Fly’s statement: “While we believe that our systems are very secure, including SLL encryption, we have recently engaged multiple outside security firms to identify and resolve any possible gaps in our systems and as always will take any action indicated.”

    Park ’N Fly provides parking related services all over the United States and owns, leases, and manages 16 off-airport parking properties in 14 markets, in addition to operating a network for pre-booked parking for 85 affiliates across the US.

    Posted in Malware | Comments Off on Planes, Trains & Automobiles – Are You Safe From PoS Malware Anywhere?

    The computer security industry will always remember 2013 as the year the U.S. suffered one of the largest data breaches in history. In a targeted attack, U.S. retailer Target was compromised during the Christmas shopping season using the BlackPOS malware, a PoS RAM scraper family. According to estimates, cybercriminals stole 40 million credit and debit card numbers as well as 70 million personal records of Target shoppers.

    Ever since the Target data breach came into the limelight, there has been a constant stream merchants/retailers publicly disclosing data breach incidents. These data breaches typically involve credit card data theft using PoS RAM scrapers. Early this month, Brian Krebs reported yet another big data breach that involves U.S. retailer Home Depot using a new variant of the BlackPOS PoS RAM scraper. Nearly all Home Depot locations in the US are believed to have been affected and it is speculated this data breach might surpass the Target breach in terms of volume of data stolen.

    In addition to an increased number of data breaches, 2014 also brings an increase in the number of new PoS RAM scraper families. Our PoS RAM scraper family tree illustrates the evolution as follows.

    Figure 3-01

    Figure 1.The evolution of the PoS RAM scraper family

    Read the rest of this entry »

    Posted in Bad Sites | Comments Off on 2014 – An Explosion of Data Breaches and PoS RAM Scrapers

    While researching POS RAM scraper malware, I came across an interesting sample: a RAR archive that contained a development version of a POS RAM Scraper malware and a cracked copy of Ground Labs’ Card Recon software. Card Recon is a commercial Data Leakage Prevention (DLP) product used by merchants for PCI compliance. (The contents of this archive are detected as TSPY_POCARDL.AI and SPYW_CCVIEW.)

    It looks like the criminal gangs are using the RAM scrapers to dump memory, and (ironically) using DLP to find the cards. The cracked Card Recon software I found in the RAR archive dates back to 2011:

    Link date: 9:14 AM 3/11/2011
    Publisher: Ground Labs
    Description: PCI DSS CHD Scanner
    Product: Card Recon
    Prod version: Release 1.14.7
    File version: Release 1.14.7
    MachineType: 32-bit

    Hunting for other samples using this cracked version of Card Recon returned more archive files; two interesting ones in the lot were a RAM scraper bundle and a keylogger bundle. Bad guys using a commercial DLP solution wasn’t that surprising, but it got me thinking: why validate? Aren’t the regexes used to collect the data enough?

    The short answer is the criminals need to check and validate the data they have stolen, which they then sell in the underground carder marketplace. Selling bad data will damage their reputation and might even have nastier repercussions than merely losing credibility.

    We first need to understand payment card numbers (i.e., debit and credit card numbers) in some detail. The format of these numbers is specified in ISO/IEC 7812. The 16-digit numbers used have the following format:


    The first six digits of the card is known as the Issuer Identification Number (IIN), and the very first digit of the IIN is the Major Industry Identifier (MII). The major card networks – Visa, MasterCard, Discover, and American Express (AMEX) – all have unique IIN ranges that identifies which institution issued the card. The individual account number is of variable length (up to 12 digits) and final digit, C, is a check digit calculated using the Luhn algorithm.

    The Luhn algorithm is a simple checksum formula (defined in the ISO specification), which is designed to catch any errors in the previous 15 digits. All 16 digits are stored in the magnetic strip of the card in distinct magnetic tracks (Track 1 and Track 2), together with other information needed to process transactions. All this is defined in ISO/IEC 7813.

    The precise definition of how the Track 1 and 2 data is stored on cards allows POS RAM scraper malware to use regular expression (regex) patterns to search for these in RAM. Here’s an example regex for finding Track 1 data:


    Depending on the complexity of the necessary regex, it might also incorrectly capture garbage data from RAM in addition to the target data. A well-defined regex will return clean results, but may be computationally expensive compared to a looser regex. When the goal is to capture data from the RAM quickly, efficiency is more important than quality, especially when the validation can be done offline on the exfiltrated data.

    Remarkably, though, there are some purist malware authors who believe in writing good code. One such POS RAM scraper example was written in Visual Basic and actually implemented the Luhn algorithm:

    Figure 1. Implementation of Luhn algorithm
    (Click image to enlarge)

    The malware will use the regex to capture data from the RAM and then use the function Luhn to validate the data. This function takes a string as input and returns a Boolean value: true or false. Invalid data is discarded, and the malware exfiltrates only valid results.

    While this code is functional, it’s not particularly suitable for high-volume data collection: it’s just too computationally intensive. Using an offline DLP solution like the cracked Card Recon is ideal. If you recall the massive Target data breach from last year, pragmatically validating 70 million payment cards is best done outside any compromised network.

    Going back to the POS RAM scraper with cracked Card Recon software, I discovered that the DLP tool identifies (using IIN) the following cards: AMEX, Discover, Diners Club, JCB, Visa, MasterCard and Test/Others. The “Test/Others” checks the numeric string is Luhn-valid, but doesn’t map it to any specific card brand.

    I used an online fake credit card number generator to generate different brands of Luhn-valid credit card numbers and then used the Card Recon DLP tool to scan my drive for valid credit card numbers. (It should be noted that the DLP tool only validates the payment card number and not the entire Track 1 and 2 data.)

    Figure 2. Cracked Card Recon tool

    The tool incorrectly identified some Python libraries as containing Luhn valid test credit card numbers, which supports the point I made previously about regexes misfiring and collecting garbage data. To a carder the full package: account number, expiry dates, CVC1/CVV1 codes found in Track 1 & 2 are extremely important. Combined, these fetch a higher price in the underground carder marketplace compared to the card number alone. They use regexes to collect both Track 1 and 2 data, and validating the captured card numbers theoretically implies that the rest of the data is valid as well.

    Figure 3. Files detected by Card Recon
    (Click image to enlarge)

    One may then ask: is all this information valued equally in the underground marketplace? Surprisingly, the answer is no, and it all has to do with supply and demand.

    Our recent revisit of the Russian underground showed how the price of credit cards in the underground marketplace has declined over the years. However, the variation in prices of different brands of credit cards still exists. Checking various carder sites I found some representative prices for “validated” US -based credit cards:

    Table 1. Card prices (per card, in US dollars)

    Two things to take away from this. First, buying credit card data in bulk reduces the unit price, in some cases by up to 66%. Secondly, the unit price of Discover and AMEX cards is higher than the unit price of Visa and MasterCard cards.

    This is because AMEX and Discover card data are harder to come by compared to the commonly found Visa and MasterCard card data; rarer data costs more. Unfortunately, I failed to find good reasons as to why AMEX and Discover card data is seen as more lucrative than Visa and MasterCard card data. Is it because compromised AMEX and Discover cards are less likely to be detected? Do they carry larger credit limits? They are accepted with a higher level of confidence? We can’t say for sure.

    From this investigation we conclude:

    • POS RAM scraper malware regexes used to collect Track 1 and 2 data are observed to be computationally lightweight. This may be to cope with the high volume of data being processed, and to remain stealthy. Exceptions to this obviously exist, but the mainstream RAM scraper families generally don’t implement Luhn validation in code.
    • Card data validation is usually done offline on the exfiltrated data using readily available hacked/cracked DLP tools e.g. Card Recon or using homebrew tools. In addition to validation, the carders also separate out the different card brands.
    • Different card brands have different unit prices in the underground carder marketplace based on availability and demand.

    Update as of 12:35 AM PDT, June 4, 2014

    Ground Labs, the publisher of Card Recon, has released a blog post discussing the modified versions of their software used by cybercriminals. They reiterated that legitimate copies of Card Recon should only be downloaded from their website or their partners.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice