‘RAM scraping’ has been implicated in one of the world’s largest data breaches.  So what does it involve, and how do businesses defend against it?  By Keith Bird, UK MD, Check Point

When we published our security predictions for 2014 in December, we said that ‘targeted malware campaigns … aimed at stealing either money or intellectual property’ would be one of the top 3 threats to business during the year.  However, we certainly did not expect this prediction to be realised quite so quickly, nor in such a high-profile fashion.  It’s estimated that the breaches at leading US retailers including Target and Neiman Marcus resulted in up to 110 million people having credit card or personal details stolen.

Investigations into these attacks have revealed that point-of-sale (POS) terminals at the retail chains had been infected with ‘RAM scraping’ tools, which enabled credit card data and other account information to be intercepted and stolen by the attackers.  While RAM scraping is not a new technique (it was first reported in 2008 by Princeton’s Center for Information Technology Policy), its use in these latest attacks has raised questions about the security of credit card transactions that don’t use EMV, and the Payment Card Industry’s Data Security Standard (PCI-DSS), which is intended to safeguard POS systems and protect customers’ card data in transit.

While PCI-DSS does offer strong security from the initial transaction, right through to when customer data is stored on retailers’ systems, it isn’t invulnerable.  There’s a very short period of time during a mag-stripe transaction when the customer’s credit card data – including the cardholder’s name, card number, expiry date, the three-digit security code – is available in plaintext format.  This is because payment processing systems work with unencrypted data, and it’s this window of opportunity that RAM scraping tools exploit.

A narrow scrape

When the card data is read by the POS terminal, it’s temporarily stored in random-access memory while the card is authorised and the transaction processed, before it is encrypted.  Similarly, when a back-end server starts processing the customer transaction, the data is temporarily decrypted in memory.  The data is visible only for a fraction of a second, but in that time the RAM scraper is able to do its work.  It is designed to activate whenever a transaction occurs, and to seek out credit card numbers from the RAM as soon as new data is loaded into it.  The data is then written silently copied  to a text file, and forwarded onto the attackers when a pre-determined number of records has been ‘scraped’ – saving the criminal the effort and trouble of having to decrypt the customer details.

It’s not yet clear which specific malware variants were used in these latest attacks, or how they were planted.  However, in early January 2014 the US Computer Emergency Readiness Team (US-CERT) issued an alert about RAM-scraping malware targeting POS systems, naming types of currently-active malware that is capable of searching memory dumps of specific POS software-related processes to find card data.

Infection vectors

So how were the criminals able to inject the RAM scrapers into the POS systems of these major retailers?  It’s currently believed that the hackers were able to obtain the login credentials belonging to a company that provides the heating, ventilation and air-conditioning services (HVAC) to the retailers.  The HVAC firm had access rights to the retailers’ network for tasks including remote monitoring of energy use and temperatures in stores.  Using these access rights, the attackers gained a foothold on the retailer’s network and could subsequently jump across to the company’s payment systems network.

Once the corporate network has been breached, it’s possible for attackers to transfer the malware over to the POS network and devices.  The POS networks are not isolated from other business networks – which makes them vulnerable.

POS protection

In terms of blocking future RAM-scraping exploits, or other attacks targeting POS systems, US-CERT recommends six best practices to the owners and operators of the systems:

• Use strong passwords for POS systems, and always change them from the factory default setting
• Update POS software applications, in exactly the same way that other business software should be updated and patched, to cut exposure to vulnerabilities
• Install a firewall to protect POS systems and isolate them from other networks
• Use antivirus software, and keep it fully updated
• Restrict access to the Internet from POS system computers or terminals to prevent accidental exposure to security threats
• Disable remote access to POS systems

Organisations should also consider additional counter-measures to add a further layer of protection against malware infections, which are the most common starting point for attacks.  It’s relatively easy for criminals to make small adjustments to malware code, which enables it to bypass current antivirus signature detection, which in turn leaving businesses vulnerable.  A security technique such as Check Point’s ThreatCloud Emulation makes it possible to identify and isolate malicious files before they enter the network, so that accidental infections do not occur.

In conclusion, RAM scraping is a threat that could target not just the retail sector, but any business area that involves processing volumes of customer payment cards, from leisure and hospitality through to finance and insurance.  So organisations that routinely use POS equipment should look carefully at their exposure to being scarred by RAM scrapers.

www.checkpoint.com