The computer security industry will always remember 2013 as the year the U.S. suffered one of the largest data breaches in history. In a targeted attack, U.S. retailer Target was compromised during the Christmas shopping season using the BlackPOS malware, a PoS RAM scraper family. According to estimates, cybercriminals stole 40 million credit and debit card numbers as well as 70 million personal records of Target shoppers.
Ever since the Target data breach came into the limelight, there has been a constant stream merchants/retailers publicly disclosing data breach incidents. These data breaches typically involve credit card data theft using PoS RAM scrapers. Early this month, Brian Krebs reported yet another big data breach that involves U.S. retailer Home Depot using a new variant of the BlackPOS PoS RAM scraper. Nearly all Home Depot locations in the US are believed to have been affected and it is speculated this data breach might surpass the Target breach in terms of volume of data stolen.
In addition to an increased number of data breaches, 2014 also brings an increase in the number of new PoS RAM scraper families. Our PoS RAM scraper family tree illustrates the evolution as follows.
Figure 1.The evolution of the PoS RAM scraper family
The earliest evidence of PoS RAM scraping was in Visa’s Data Security Alert issued on October 2, 2008. Back then, cybercriminals attempted to install debugging tools on PoS systems to dump Tracks 1 and 2 credit card data from RAM. In 2009, Verizon also reported of PoS RAM scrapers alongside its victim profiles; targets were primarily the retail and hospitality industries. PoS RAM scraper families really started to evolve around the end of 2011. As the family tree illustrates, there have been a steady release of new PoS RAM scraper families as new breach and exfiltration techniques unfold. What stands out in the PoS RAM scraper family tree is the high concentration of new variants that have emerged in 2014 alone. Six variants of this scraper family emerged between 2011 and 2013, but researchers discovered the same number of variants in 2014 alone. As illustrated by the arrows, these new variants either borrowed the functionality of their predecessors or are direct evolutions of older PoS RAM scraper families.
Of the six new variants discovered in 2014, four were discovered between June and August.
- Soraya – discovered in June and is a Dexter- and ZeuS-inspired malware. In addition to scraping RAM for credit card Tracks 1 and 2 data, it borrows tricks from ZeuS for hooking the NtResumeThread API, and injects itself into all new processes. It also borrows ZeuS’s form-grabbing functionality and hooks the browser’s HTTP POST function. Trend Micro detects Soraya variants as TSPY_SORAYA.A.
- BrutPOS – discovered in July and appears to have borrowed functionality from a BlackPOS variant. It attempts to exploit PoS systems that use weak or default passwords and has open Remote Desktop Protocol (RDP) ports. BrutPOS will brute-force the login:password combinations to gain entry into the system. Trend Micro detects BrutPOS variants as TROJ_TIBRUN.B and TROJ_TIBRUN.SM.
- Backoff – discovered in July is a successor of Alina. It implements an updated data search function and drops a watchdog process that ensures Backoff is always running on the system. The cybercriminals use publicly available tools to brute-force entry into RDP applications on PoS systems and installs Backoff. Trend Micro detects Backoff variants as TSPY_POSLOGR.A, TSPY_POSLOGR.B, and TSPY_POSLOGR.C.
- BlackPOS ver 2.0 – discovered in August, clones the exfiltration technique that the BlackPOS variant used to compromise U.S. retailer Target. BlackPOS ver 2.0 also adds a unique feature where it pretends to be an AV product installed on the system to avoid drawing unwanted attention to itself. Reports indicate that this malware appears to have been used in the latest big data breach targeting Home Depot. Trend Micro detects BlackPOS ver 2.0 variants as TSPY_MEMLOG.A.
Note: A malware variant may have existed long before it was discovered because tracking exact dates is extremely difficult to do.
Our research paper PoS RAM scraper malware: Past, Present, and Future studies the PoS RAM scraper problem from A to Z and details the following.
- It delves into the PoS ecosystem and describes how PoS transactions work from the moment customers swipe their credit cards to the time they get charged for their purchases.
- It contains a description of the types of data that reside in the magnetic stripe of payment cards.
- It looks at the evolution of PoS RAM scrapers, from their simple beginnings to how they have become today’s industrialized threats.
- It explores the various PoS RAM scraper infection methods by providing technical overviews of the most prevalent PoS RAM scraper malware families that have affected businesses to date.
- It details the data-exfiltration techniques used by PoS RAM scrapers and examines what happens to the data that cybercriminals exfiltrate.
- It attempts to predict what the next-generation PoS RAM scrapers will look like and future PoS attack vectors.
Finally, the paper provides prevention strategies that companies can follow to protect themselves against PoS RAM scrapers.