2014 saw a significant jump in the quantity, quality and prevalence of point-of-sale malware attacks. These malicious creations, commonly referred to as PoS RAM Scrapers are designed to compromise the terminals used by businesses the world over to carry out retail transactions.
Tens of millions of payment card details are routinely stolen, sometimes in a single operation. These card details are then sold on underground carding forums where they are used to make fraudulent purchases, transfers or withdrawals. These large-scale heists have become the backbone of the supply chain to the globally distributed underground carding economy.
How do they work?
When a payment terminal processes your credit card data during a transaction, the majority of the time it is securely encrypted, in storage and in transit. However, when that data is actively in use by the terminal, at the point where the transaction is taking place, it is processed in the memory of the terminal in the clear. PoS RAM Scrapers are designed to inspect the memory of running processes on a terminal and extract the payment card data for later bulk retrieval by the attacker. For this reason PoS terminals are becoming an even more attractive criminal target; one successful attack offers far more bang for the buck than traditional attacks against individual consumers.
Why was 2014 a landmark year?
As noted in the 2014 Annual Security Roundup, “Magnified Losses, Amplified Need for Cyber-Attack Preparedness,” quite simply, the criminal focus on this area has ramped up significantly over the course of 2104. The years 2009 – 2013 inclusive, saw a total of 7 distinct families of PoS Malware; namely RawPOS, Rdasrv, Alina, Dexter, BlackPOS, Chewbacca, and VSkimmer.
By the end of 2104 we were talking about an increase of 129 percent even at the highest level of PoS RAM Scraper families alone, without taking into account individual variants. 2014 saw the introduction of Soraya, LusyPOS, JackPOS, Backoff, NewPoSThings, Decebal, BlackPOS 2, BrutPOS and GetMyPass.
In true online criminal “trickle down” style, the older tool BlackPOS was responsible for just over 50 percent of infections, while the newer tools were used very successfully but in more limited distributions.
This has not been a phenomenon restricted to one industrial sector either with attacks against retail (of course), postal, parking, restaurant, hotel and beauty sectors throughout the year. Let’s not forget, these are only the publicly notified breaches. Attackers have learned very quickly that PoS terminals represent a potentially highly lucrative seam to mine.
Where do we go from here?
The larger breaches have led many to discuss whether retailers in the US would finally begin the roll out of EMV, or contactless, terminals but it’s important to remember that EMV terminals are just as vulnerable to attack from PoS RAM Scrapers. The card details are still processed in the clear during the transaction. EMV technology in Europe certainly did see a reduction of “in-person fraud” but a consequent rise in “card not present fraud.” The technology did not lead to fewer fraudulent transactions, it just drove the fraud to online transactions rather than in-store.
A lasting solution to PoS RAM scraping will come more in the form of technologies such as ApplePay or Visa Token Service where the actual card details are never transmitted to the PoS terminal and thus can not be intercepted.
In the meantime, anyone accepting credit card payments is a potential target for large-scale theft and should be paying more attention to securing those devices. End-point security solutions should be deployed where permissible and possible, and network monitoring technology should be deployed on critical network segments to identify unauthorized access, system compromise and of course the attempted theft of sensitive data. This white paper offers several pointers to designing effective security in PoS environments.
Please add your thoughts in the comments below or follow me on Twitter; @rik_ferguson.