Last year was dubbed by some industry experts "the year of the breach," and for good reason. The enterprise community saw countless high-profile intrusions in 2014, illustrating the importance of having top-notch information security solutions in place. The attackers behind these breaches utilized a range of infection tactics, however, some were seen more frequently than others.
According to Verizon's 2015 Data Breach Investigations Report, one of the most prominent attack strategies last year was RAM-scraping malware, demonstrating the threat this type of infection can pose.
What is RAM-scraping malware?
According to a Trend Micro white paper from 2014, RAM scraping malware involves an infection wherein cybercriminals seek to attack the point-of-sale systems used by retailers specifically to steal unprotected customer payment data. White paper author Numaan Huq, part of Trend Micro's Forward-Looking Threat Research Team, noted that credit and debit card payment data – the information stored on the magnetic strip on the back of the card – is temporarily stored in plain text on many retailer's PoS devices as it is being processed. RAM scraping malware aims to target this information at this point in the process, which makes it easier for hackers to make off with the stolen data and use it for fraudulent purposes or sell it on underground marketplaces.
"To exponentially increase their payback from stealing credit card data, criminals are now directly targeting the businesses that process credit cards instead of going after the individual victims," Huq wrote.
A Trend Micro blog post from Huq noted that the first time this type of malware was seen and positively identified was in late 2008, when Visa issued a security alert. Since then, RAM-scraping infections have become increasingly popular, leading to a surge of attacks in 2013 and 2014. This includes the high-profile breaches on Target and the Home Depot, impacting millions of customers across the United States and the rest of the world.
A family tree of RAM scraping malware samples
Currently, there are more than a few families of this type of malware in the wild, with six being uncovered in the last year alone. Some of the most recent discoveries include:
- Backoff: This sample was first found in July 2014, and it utilizes updated data search and watchdog processes to continually run on a victim's system. Hackers then leverage brute force tools to breach the PoS and steal data from it.
- BlackPOS ver 2.0: This sample was discovered in August 2014, and quickly made a name for itself as the updated version of the infection that caused the Target breach. This sample utilizes a cloned exfiltration technique and also includes the unique masking capability, where it camouflages itself as an anti-virus application to prevent detection.
This only scratches the surface of RAM-scraping malware. According to Trend Micro's family tree, there were a total of 12 families as of late 2014.
"What stands out in the PoS RAM scraper family tree is the high concentration of new variants that have emerged in 2014 alone," Huq wrote in a September 2014 blog post. "Six variants of this scraper family emerged between 2011 and 2013, but researchers discovered the same number of variants in 2014 alone."
A continuing threat
While phishing was also on researchers' radar, RAM scraping malware was also flagged by Verizon analysts as one of the worst threats faced last year. Of the breaches that took place last year, around 28.5 percent of them – the highest percentage found by the report – came as a result of PoS intrusions. The second most prevalent threat cited was crimeware, which accounted for about 18.8 percent of reported attacks.
However, the fact that these malware samples are out there isn't the only reason infections are taking place. Trend Micro noted in a March 2015 post that the use of older operating systems including Windows XP and Windows Server 2000 are contributing to attacks, as official support from Microsoft has ended for these platforms. This doesn't mean that every system is infallible, though.
"These operating systems are more vulnerable to potential attacks, as they will no longer receive patches for new vulnerabilities," Trend Micro stated in March. "Newer systems running the latest OS aren't entirely safe either, and still needs to be regularly patched and updated to reduce the risk."
Retailers should have a layered security strategy in place to protect their PoS and their customers' payment card data. Anti-virus and monitoring solutions alongside multi-factor authentication can help prevent intrusion. In addition, Trend Micro's Endpoint Application Control can help prevent PoS malware intrusion. To find out more, contact us today.
