Skip to main content
SpringerLink
Log in

Evolution and characterization of point-of-sale RAM scraping malware

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

An Erratum to this article was published on 01 September 2016

This article has been updated

Abstract

Credit and debit cards are becoming the primary payment method for purchases. These payments are normally performed in merchant’s in-store systems as known as Point-of-Sale (POS) systems. Since these systems handle payment card data while processing the customer transactions, they are becoming a primary target for cybercriminals. These data, when remain at memory, are scraped and exfiltrated by specially crafted malicious software named POS RAM scraping malware. In recent years, large data breaches occurred in well-known US retail companies were caused by this kind of malware. In this paper, we study the features of these malware based on their behavior on different stages: infection and persistence, process and data of interest search, and exfiltration. Then, we classify samples of 22 known POS RAM scraping malware families from 2009 to 2015 according to these features. Our findings show these malware are still immature and use well-defined behavioral patterns for data acquirement and exfiltration, which may make their malicious activity easily detectable by process and network monitoring tools.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

Change history

  • 01 September 2016

    An erratum to this article has been published.

Notes

  1. See https://msdn.microsoft.com/en-us/library/windows/desktop/ms684839(v=vs.85).aspx for details.

References

  1. Adida, B., Bond, M., Clulow, J., Lin, A., Murdoch, S., Anderson, R., Rivest, R.: Phish and chips. In: Christianson, B., Crispo, B., Malcolm, J., Roe, M. (eds.) Proceedings of the 14th International Workshop on Security Protocols. Lecture Notes in Computer Science, vol. 5087, pp. 40–48. Springer, Berlin (2009). doi:10.1007/978-3-642-04904-0_7

  2. Anderson, R., Murdoch, S.J.: EMV: why payment systems fail. Commun. ACM 57(6), 24–28 (2014). doi:10.1145/2602321

    Article  Google Scholar 

  3. Bodhani, A.: Turn on, log in, checkout. Eng. Technol. 8(3), 60–63 (2014). doi:10.1049/et.2013.0308

    Article  Google Scholar 

  4. Bond, M., Choudary, O., Murdoch, S., Skorobogatov S, Anderson, R.: Chip and skim: cloning EMV cards with the pre-play attack. In: IEEE Symposium on Security and Privacy (SP), pp. 49–64 (2014). doi:10.1109/SP.2014.11

  5. Bond, M., Choudary, M., Murdoch, S., Skorobogatov, S., Anderson, R.: Be prepared: the EMV preplay attack. IEEE Secur. Priv. 13(2), 56–64 (2015). doi:10.1109/MSP.2015.24

    Article  Google Scholar 

  6. Borello, J.M., Mé, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008). doi:10.1007/s11416-008-0084-2

    Article  Google Scholar 

  7. Brandt, N.B., Stamp, M.: Automating NFC message sending for good and evil. J. Comput. Virol. Hacking Tech. 10(4), 273–297 (2014). doi:10.1007/s11416-014-0223-x

    Article  Google Scholar 

  8. Caldwell, T.: Securing the point of sale. Comput. Fraud Secur. 2014(12), 15–20 (2014). doi:10.1016/S1361-3723(14)70557-3

    Article  Google Scholar 

  9. Collberg, C.S., Thomborson, C.: Watermarking, tamper-proofing, and obfuscation—tools for software protection. IEEE Trans. Softw. Eng. 28(8), 735–746 (2002)

    Article  Google Scholar 

  10. Dagon, D., Gu, G., Lee, C., Lee, W.: A taxonomy of botnet structures. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC), pp. 325–339 (2007). doi:10.1109/ACSAC.2007.44

  11. Dell SecureWorks Counter Threat Unit.: Point-of-sale malware threats. Tech. rep., Dell SecureWorks Inc. http://www.secureworks.com/cyber-threat-intelligence/threats/point-of-sale-malware-threats/ (2013)

  12. Department of Homeland Security.: National Security Strategy. The White House. http://www.whitehouse.gov/sites/default/files/rss_viewer/national_security_strategy.pdf (2010)

  13. EMVCo.: EMV card-present transaction percentage. https://www.emvco.com/documents/EMVCo_Card_present_EMV.pdf (2015). Accessed 25 Oct 2015

  14. Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), pp. 3–14. ACM, New York (2011). doi:10.1145/2046614.2046618

  15. Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Electr. Autom. Control Inform. Eng. 1(2), 281–286 (2007)

    Google Scholar 

  16. FirstData.: Payments 101: credit and debit card payments—key concepts and industry issues. https://www.firstdata.com/en_us/insights/payments-101-white-paper-/_jcr_content/content-block/insight_individual/insights-downloads-par/download/file.res/fd-Payments-101-Credit-and-Debit-Card-Payments-white-paper.pdf (2010)

  17. Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Practical relay attack on contactless transactions by using NFC mobile phones. In: Lo, N.W., Li, Y. (eds.) Proceedings of the 2012 Workshop on RFID and IoT Security (RFIDsec 2012 Asia). Cryptology and Information Security Series, vol. 8, pp. 21–32. IOS Press, Amsterdam (2012)

  18. Frisby, W., Moench, B., Recht, B., Ristenpart T.: Security analysis of smartphone point-of-sale systems. In: Proceedings of the 6th USENIX Conference on Offensive Technologies. WOOT’12, pp. 1–12. USENIX Association, Berkeley (2012)

  19. Gold, S.: The evolution of payment card fraud. Comput. Fraud Secur. 2014(3), 12–17 (2014). doi:10.1016/S1361-3723(14)70471-3

    Article  Google Scholar 

  20. Gomzin, S.: Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions, 1st edn. Wiley, New York (2014)

    Google Scholar 

  21. Guo, F., Ferrie, P., Chiueh, T.C.: A study of the packer problem and its solutions. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) Recent Advances in Intrusion Detection (RAID), Lecture Notes in Computer Science, vol. 5230, pp. 98–115. Springer, Berlin (2008). doi:10.1007/978-3-540-87403-4_6

  22. Hancke, G., Mayes, K., Markantonakis, K.: Confidence in smart token proximity: relay attacks revisited. Comput. Secur. 28(7), 615–627 (2009). doi:10.1016/j.cose.2009.06.001

    Article  Google Scholar 

  23. Haselsteiner, E., Breitfuß, K.: Security in near field communication (NFC)—strengths and weaknesses. In: Proceedings of the Workshop on RFID Security and Privacy (RFIDSec) (2006)

  24. Hizver, J., Chiueh, T.C.: Automated discovery of credit card data flow for PCI DSS compliance. In: Proceedings of the 2011 IEEE 30th International Symposium on Reliable Distributed Systems (SRDS), pp. 51–58. IEEE Computer Society, Washington, DC (2011). doi:10.1109/SRDS.2011.15

  25. Huq, N.: PoS RAM Scraper malware: past, present, and future. Tech. rep., Trend Micro Inc. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf (2014)

  26. Huq, N.: Defending against PoS RAM scrapers: current strategies and next-gen technologies. Tech. rep., Trend Micro Inc. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-defending-against-pos-ram-scrapers.pdf (2015)

  27. International Organization for Standardization: ISO/IEC 3166-1:1997.: Codes for the representation of names of countries and their subdivisions—part 1: country codes. http://www.iso.org/iso/catalogue_detail?csnumber=24591 (1997)

  28. International Organization for Standardization: ISO/IEC 4909:2006.: Identification cards—financial transaction cards—magnetic stripe data content for track 3. http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=43309 (2006a)

  29. International Organization for Standardization: ISO/IEC 7813:2006.: Information technology—identification cards—financial transaction cards. http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=43317 (2006b)

  30. International Organization for Standardization: ISO/IEC 18092:2013.: Information technology—telecommunications and information exchange between systems—near field communication—interface and protocol (NFCIP-1). http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=56692 (2013)

  31. International Organization for Standardization: ISO/IEC 7812-1:2015.: Identification cards—identification of issuers—part 1: numbering system. http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=66011 (2015)

  32. Juniper Research Limited.: Apple pay and HCE to push NFC payment users to more than 500 million by 2019. http://www.marketwired.com/press-release/apple-pay-hce-push-nfc-payment-users-more-than-500-million-2019-juniper-research-finds-1961558.htm (2014). Accessed at 2 Nov 2014

  33. Kaspersky Lab.: Kaspersky Security Bulletin 2014. http://securelist.com/files/2014/12/Kaspersky-Security-Bulletin-2014-EN.pdf (2014)

  34. Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2010). doi:10.1007/s11416-010-0148-y

    Article  Google Scholar 

  35. Lindorfer, M., Kolbitsch, C., Milani Comparetti, P. Detecting environment-sensitive malware. In: Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection (RAID). Lecture Notes in Computer Science, vol. 6961, pp. 338–357. Springer, Berlin (2011). doi:10.1007/978-3-642-23644-0_18

  36. Line, M.B., Zand, A., Stringhini, G., Kemmerer, R.: Targeted attacks against industrial control systems: is the power industry prepared? In: Proceedings of the 2nd Workshop on Smart Energy Grid Security (SEGS), SEGS ’14, pp. 13–22. ACM, New York (2014). doi:10.1145/2667190.2667192

  37. Liu, K., Tan, H.B.K., Chen, X.: Binary code analysis. Computer 46(8), 60–68 (2013). doi:10.1109/MC.2013.268

    Article  Google Scholar 

  38. de Looper, C.: Mobile payment boasts rosy future, but some obstacles remain in play. http://www.techtimes.com/articles/24762/20150106/mobile-payments-worth-130-billion-2020.htm (2015). Accessed 23 Jan 2015

  39. Mitrokotsa, A., Rieback, M.R., Tanenbaum, A.S.: Classifying RFID attacks and defenses. Inform. Syst. Front. 12(5), 491–505 (2010). doi:10.1007/s10796-009-9210-z

    Article  Google Scholar 

  40. Murdoch, S., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is broken. In: IEEE Symposium on Security and Privacy (SP), pp. 433–446 (2010). doi:10.1109/SP.2010.33

  41. Murdoch, S.J., Anderson, R.: Security protocols and evidence: where many payment systems fail. In: Christin, N., Safavi-Naini, R. (eds.) Proceedings of the 18th international conference on financial cryptography and data security (FC). Lecture Notes in Computer Science, vol. 8437, pp. 21–32. Springer, Berlin (2014). doi:10.1007/978-3-662-45472-5_2

  42. Oak, C.: The year 2014 was a tipping point for NFC payments. http://www.finextra.com/blogs/fullblog.aspx?blogid=10382 (2015). Accessed 15 Jan 2015

  43. Oorschot, P.: Revisiting software protection. In: Boyd, C., Mao, W. (eds.) Proceedings of the 6th International Conference on Information Security (ISC). Lecture Notes in Computer Science, vol. 2851, pp. 1–13. Springer, Berlin (2003). doi:10.1007/10958513_1

  44. PCI Security Standards Council.: PCI DSS applicability in an EMV environment—a guidance document. www.pcisecuritystandards.org/documents/pci_dss_emv.pdf (2010)

  45. Rantos, K., Markantonakis, K.: Analysis of potential vulnerabilities in payment terminals. In: Markantonakis, K., Mayes, K. (eds.) Secure smart embedded devices, platforms and applications, pp. 311–333. Springer, New York (2014). doi:10.1007/978-1-4614-7915-4_13

  46. Rieback, M., Crispo, B., Tanenbaum, A.: RFID malware: truth vs Myth. IEEE Secur. Priv. 4(4), 70–72 (2006). doi:10.1109/MSP.2006.102

    Article  Google Scholar 

  47. de Ruiter, J., Poll, E.: Formal analysis of the EMV protocol suite. In: Mödersheim, S., Palamidessi, C. (eds.) Theory of Security and Applications, Lecture Notes in Computer Science, vol. 6993, pp. 113–129. Springer, Berlin (2012). doi:10.1007/978-3-642-27375-9_7

  48. Sanders, R.: From EMV to NFC: the contactless trail? Card Technol. Today 20(3), 12–13 (2008). doi:10.1016/S0965-2590(08)70077-X

    Article  Google Scholar 

  49. Sarkar, S., Mitra, S., Roy, A.: Point of sale vulnerabilities: solution approach. Tech. rep, Infosys (2014)

  50. Smith, D.C.: Preventing point-of-sale system intrusions. Tech. rep, Naval Postgraduate School (2014)

  51. Suarez-Tangil, G., Tapiador, J., Peris-Lopez, P., Ribagorda, A.: Evolution, detection and analysis of malware for smart devices. IEEE Commun. Surv. Tutor. 16(2), 961–987 (2014). doi:10.1109/SURV.2013.101613.00077

    Article  Google Scholar 

  52. Symantec Security Response.: Attacks on point-of-sales systems. Tech. rep., Symantec. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/attacks_on_point_of_sale_systems.pdf (2014)

  53. Trend Micro.: Point-of-sale system breaches: threats to the retail and hospitality industries. Tech. rep., Trend Micro Inc. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-system-breaches.pdf (2014)

  54. Trustwave.: Combatting point-of-sale malware. Tech. rep., Trustware Holdings Inc. https://www.trustwave.com/Resources/Library/Documents/Combatting-Point-of-Sale-Malware/ (2014)

  55. Ugarte-Pedrero, X., Balzarotti, D., Grueiro, I.S., Bringas, P.G.: SoK: deep packer inspection: a longitudinal study of the complexity of run-time packers. In: Proceedings of the 36th IEEE Symposium on Security and Privacy, pp. 659–673 (2015). doi:10.1109/SP.2015.46

  56. Upendar, J., Rao, E.G.: An overview of plastic card frauds and solutions for avoiding fraudster transactions. Int. J. Res. Eng. Technol. 2(8), 215–222 (2013)

    Article  Google Scholar 

  57. Vila, J., Rodríguez, R.J.: Practical experiences on NFC relay attacks with android: virtual pickpocketing revisited. In: Proceedings of the 11th International Workshop on RFID Security (RFIDsec). Lecture Notes in Computer Science, vol. 9440, pp. 87–103. Springer, Berlin (2015). doi:10.1007/978-3-319-24837-0_6

  58. Walters, R.: Cyber attacks on US companies in 2014. The Heritage Foundation—National Security and Defense (4289), 1–5 (2014). http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014 (issue Brief)

  59. Wang, Y.M., Roussev, R., Verbowski, C., Johnson, A., Wu, M.W., Huang, Y., Kuo, S.Y.: Gatekeeper: monitoring auto-start extensibility points (ASEPs) for spyware management. In: Proceedings of the 18th USENIX Conference on System Administration. LISA ’04, pp. 33–46. USENIX Association, Berkeley (2004)

  60. Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: Proceedings of the 2003 ACM Workshop on Rapid Malcode (WORM). WORM ’03, pp. 11–18. ACM, New York (2003). doi:10.1145/948187.948190

  61. Yan, W., Zhang, Z., Ansari, N.: Revealing packed malware. IEEE Secur. Priv. 6(5), 65–69 (2008). doi:10.1109/MSP.2008.126

    Article  Google Scholar 

  62. Yaneza, J.: GamaPoS: the andromeda botnet connection. Tech. rep., Trend Micro. http://documents.trendmicro.com/assets/GamaPOS_TechnicalBrief1.pdf (2015)

  63. Zetter, K.: TJX hacker gets 20 years in prison. http://www.wired.com/2010/03/tjx-sentencing/ (2010)

Download references

Acknowledgments

The author would like to thank Marc Rivero and Rubén Espadas, MLW.RE NPO, for providing malware samples, Xylitol for maintaining the thread in KernelMode forum of POS RAM scraping malware, and the anonymous referees for providing constructive comments and helping to improve the contents of this paper.

Author information

Authors and Affiliations

  1. Dpto. de Informática e Ingeniería de Sistemas, Universidad de Zaragoza, María de Luna 1, 50018, Zaragoza, Spain

    Ricardo J. Rodríguez

Authors
  1. Ricardo J. Rodríguez
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ricardo J. Rodríguez.

Additional information

An erratum to this article is available at https://doi.org/10.1007/s11416-016-0285-z.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Rodríguez, R.J. Evolution and characterization of point-of-sale RAM scraping malware. J Comput Virol Hack Tech 13, 179–192 (2017). https://doi.org/10.1007/s11416-016-0280-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-016-0280-4

Keywords

Search

Navigation