• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   2014 – An Explosion of Data Breaches and PoS RAM Scrapers

2014 – An Explosion of Data Breaches and PoS RAM Scrapers

  • Posted on:September 11, 2014 at 2:16 am
  • Posted in:Bad Sites
  • Author:
    Numaan Huq (Senior Threat Researcher)
0

The computer security industry will always remember 2013 as the year the U.S. suffered one of the largest data breaches in history. In a targeted attack, U.S. retailer Target was compromised during the Christmas shopping season using the BlackPOS malware, a PoS RAM scraper family. According to estimates, cybercriminals stole 40 million credit and debit card numbers as well as 70 million personal records of Target shoppers.

Ever since the Target data breach came into the limelight, there has been a constant stream merchants/retailers publicly disclosing data breach incidents. These data breaches typically involve credit card data theft using PoS RAM scrapers. Early this month, Brian Krebs reported yet another big data breach that involves U.S. retailer Home Depot using a new variant of the BlackPOS PoS RAM scraper. Nearly all Home Depot locations in the US are believed to have been affected and it is speculated this data breach might surpass the Target breach in terms of volume of data stolen.

In addition to an increased number of data breaches, 2014 also brings an increase in the number of new PoS RAM scraper families. Our PoS RAM scraper family tree illustrates the evolution as follows.

Figure 3-01

Figure 1.The evolution of the PoS RAM scraper family

The earliest evidence of PoS RAM scraping was in Visa’s Data Security Alert issued on October 2, 2008. Back then, cybercriminals attempted to install debugging tools on PoS systems to dump Tracks 1 and 2 credit card data from RAM. In 2009, Verizon also reported of PoS RAM scrapers alongside its victim profiles; targets were primarily the retail and hospitality industries. PoS RAM scraper families really started to evolve around the end of 2011. As the family tree illustrates, there have been a steady release of new PoS RAM scraper families as new breach and exfiltration techniques unfold. What stands out in the PoS RAM scraper family tree is the high concentration of new variants that have emerged in 2014 alone. Six variants of this scraper family emerged between 2011 and 2013, but researchers discovered the same number of variants in 2014 alone. As illustrated by the arrows, these new variants either borrowed the functionality of their predecessors or are direct evolutions of older PoS RAM scraper families.

Of the six new variants discovered in 2014, four were discovered between June and August.

  • Soraya – discovered in June and is a Dexter- and ZeuS-inspired malware. In addition to scraping RAM for credit card Tracks 1 and 2 data, it borrows tricks from ZeuS for hooking the NtResumeThread API, and injects itself into all new processes. It also borrows ZeuS’s form-grabbing functionality and hooks the browser’s HTTP POST function. Trend Micro detects Soraya variants as TSPY_SORAYA.A.
  • BrutPOS – discovered in July and appears to have borrowed functionality from a BlackPOS variant. It attempts to exploit PoS systems that use weak or default passwords and has open Remote Desktop Protocol (RDP) ports. BrutPOS will brute-force the login:password combinations to gain entry into the system. Trend Micro detects BrutPOS variants as TROJ_TIBRUN.B and TROJ_TIBRUN.SM.
  • Backoff – discovered in July is a successor of Alina. It implements an updated data search function and drops a watchdog process that ensures Backoff is always running on the system. The cybercriminals use publicly available tools to brute-force entry into RDP applications on PoS systems and installs Backoff. Trend Micro detects Backoff variants as TSPY_POSLOGR.A, TSPY_POSLOGR.B, and TSPY_POSLOGR.C.
  • BlackPOS ver 2.0 – discovered in August, clones the exfiltration technique that the BlackPOS variant used to compromise U.S. retailer Target. BlackPOS ver 2.0 also adds a unique feature where it pretends to be an AV product installed on the system to avoid drawing unwanted attention to itself. Reports indicate that this malware appears to have been used in the latest big data breach targeting Home Depot. Trend Micro detects BlackPOS ver 2.0 variants as TSPY_MEMLOG.A.

Note: A malware variant may have existed long before it was discovered because tracking exact dates is extremely difficult to do.

Our research paper PoS RAM scraper malware: Past, Present, and Future studies the PoS RAM scraper problem from A to Z and details the following.

  • It delves into the PoS ecosystem and describes how PoS transactions work from the moment customers swipe their credit cards to the time they get charged for their purchases.
  • It contains a description of the types of data that reside in the magnetic stripe of payment cards.
  • It looks at the evolution of PoS RAM scrapers, from their simple beginnings to how they have become today’s industrialized threats.
  • It explores the various PoS RAM scraper infection methods by providing technical overviews of the most prevalent PoS RAM scraper malware families that have affected businesses to date.
  • It details the data-exfiltration techniques used by PoS RAM scrapers and examines what happens to the data that cybercriminals exfiltrate.
  • It attempts to predict what the next-generation PoS RAM scrapers will look like and future PoS attack vectors.

Finally, the paper provides prevention strategies that companies can follow to protect themselves against PoS RAM scrapers.

 

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: POS malwarePoS RAM scraper

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.