Abstract
Credit and debit cards are becoming the primary payment method for purchases. These payments are normally performed in merchant’s in-store systems as known as Point-of-Sale (POS) systems. Since these systems handle payment card data while processing the customer transactions, they are becoming a primary target for cybercriminals. These data, when remain at memory, are scraped and exfiltrated by specially crafted malicious software named POS RAM scraping malware. In recent years, large data breaches occurred in well-known US retail companies were caused by this kind of malware. In this paper, we study the features of these malware based on their behavior on different stages: infection and persistence, process and data of interest search, and exfiltration. Then, we classify samples of 22 known POS RAM scraping malware families from 2009 to 2015 according to these features. Our findings show these malware are still immature and use well-defined behavioral patterns for data acquirement and exfiltration, which may make their malicious activity easily detectable by process and network monitoring tools.
Similar content being viewed by others
Change history
01 September 2016
An erratum to this article has been published.
Notes
References
Adida, B., Bond, M., Clulow, J., Lin, A., Murdoch, S., Anderson, R., Rivest, R.: Phish and chips. In: Christianson, B., Crispo, B., Malcolm, J., Roe, M. (eds.) Proceedings of the 14th International Workshop on Security Protocols. Lecture Notes in Computer Science, vol. 5087, pp. 40–48. Springer, Berlin (2009). doi:10.1007/978-3-642-04904-0_7
Anderson, R., Murdoch, S.J.: EMV: why payment systems fail. Commun. ACM 57(6), 24–28 (2014). doi:10.1145/2602321
Bodhani, A.: Turn on, log in, checkout. Eng. Technol. 8(3), 60–63 (2014). doi:10.1049/et.2013.0308
Bond, M., Choudary, O., Murdoch, S., Skorobogatov S, Anderson, R.: Chip and skim: cloning EMV cards with the pre-play attack. In: IEEE Symposium on Security and Privacy (SP), pp. 49–64 (2014). doi:10.1109/SP.2014.11
Bond, M., Choudary, M., Murdoch, S., Skorobogatov, S., Anderson, R.: Be prepared: the EMV preplay attack. IEEE Secur. Priv. 13(2), 56–64 (2015). doi:10.1109/MSP.2015.24
Borello, J.M., Mé, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008). doi:10.1007/s11416-008-0084-2
Brandt, N.B., Stamp, M.: Automating NFC message sending for good and evil. J. Comput. Virol. Hacking Tech. 10(4), 273–297 (2014). doi:10.1007/s11416-014-0223-x
Caldwell, T.: Securing the point of sale. Comput. Fraud Secur. 2014(12), 15–20 (2014). doi:10.1016/S1361-3723(14)70557-3
Collberg, C.S., Thomborson, C.: Watermarking, tamper-proofing, and obfuscation—tools for software protection. IEEE Trans. Softw. Eng. 28(8), 735–746 (2002)
Dagon, D., Gu, G., Lee, C., Lee, W.: A taxonomy of botnet structures. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC), pp. 325–339 (2007). doi:10.1109/ACSAC.2007.44
Dell SecureWorks Counter Threat Unit.: Point-of-sale malware threats. Tech. rep., Dell SecureWorks Inc. http://www.secureworks.com/cyber-threat-intelligence/threats/point-of-sale-malware-threats/ (2013)
Department of Homeland Security.: National Security Strategy. The White House. http://www.whitehouse.gov/sites/default/files/rss_viewer/national_security_strategy.pdf (2010)
EMVCo.: EMV card-present transaction percentage. https://www.emvco.com/documents/EMVCo_Card_present_EMV.pdf (2015). Accessed 25 Oct 2015
Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), pp. 3–14. ACM, New York (2011). doi:10.1145/2046614.2046618
Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Electr. Autom. Control Inform. Eng. 1(2), 281–286 (2007)
FirstData.: Payments 101: credit and debit card payments—key concepts and industry issues. https://www.firstdata.com/en_us/insights/payments-101-white-paper-/_jcr_content/content-block/insight_individual/insights-downloads-par/download/file.res/fd-Payments-101-Credit-and-Debit-Card-Payments-white-paper.pdf (2010)
Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Practical relay attack on contactless transactions by using NFC mobile phones. In: Lo, N.W., Li, Y. (eds.) Proceedings of the 2012 Workshop on RFID and IoT Security (RFIDsec 2012 Asia). Cryptology and Information Security Series, vol. 8, pp. 21–32. IOS Press, Amsterdam (2012)
Frisby, W., Moench, B., Recht, B., Ristenpart T.: Security analysis of smartphone point-of-sale systems. In: Proceedings of the 6th USENIX Conference on Offensive Technologies. WOOT’12, pp. 1–12. USENIX Association, Berkeley (2012)
Gold, S.: The evolution of payment card fraud. Comput. Fraud Secur. 2014(3), 12–17 (2014). doi:10.1016/S1361-3723(14)70471-3
Gomzin, S.: Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions, 1st edn. Wiley, New York (2014)
Guo, F., Ferrie, P., Chiueh, T.C.: A study of the packer problem and its solutions. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) Recent Advances in Intrusion Detection (RAID), Lecture Notes in Computer Science, vol. 5230, pp. 98–115. Springer, Berlin (2008). doi:10.1007/978-3-540-87403-4_6
Hancke, G., Mayes, K., Markantonakis, K.: Confidence in smart token proximity: relay attacks revisited. Comput. Secur. 28(7), 615–627 (2009). doi:10.1016/j.cose.2009.06.001
Haselsteiner, E., Breitfuß, K.: Security in near field communication (NFC)—strengths and weaknesses. In: Proceedings of the Workshop on RFID Security and Privacy (RFIDSec) (2006)
Hizver, J., Chiueh, T.C.: Automated discovery of credit card data flow for PCI DSS compliance. In: Proceedings of the 2011 IEEE 30th International Symposium on Reliable Distributed Systems (SRDS), pp. 51–58. IEEE Computer Society, Washington, DC (2011). doi:10.1109/SRDS.2011.15
Huq, N.: PoS RAM Scraper malware: past, present, and future. Tech. rep., Trend Micro Inc. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf (2014)
Huq, N.: Defending against PoS RAM scrapers: current strategies and next-gen technologies. Tech. rep., Trend Micro Inc. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-defending-against-pos-ram-scrapers.pdf (2015)
International Organization for Standardization: ISO/IEC 3166-1:1997.: Codes for the representation of names of countries and their subdivisions—part 1: country codes. http://www.iso.org/iso/catalogue_detail?csnumber=24591 (1997)
International Organization for Standardization: ISO/IEC 4909:2006.: Identification cards—financial transaction cards—magnetic stripe data content for track 3. http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=43309 (2006a)
International Organization for Standardization: ISO/IEC 7813:2006.: Information technology—identification cards—financial transaction cards. http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=43317 (2006b)
International Organization for Standardization: ISO/IEC 18092:2013.: Information technology—telecommunications and information exchange between systems—near field communication—interface and protocol (NFCIP-1). http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=56692 (2013)
International Organization for Standardization: ISO/IEC 7812-1:2015.: Identification cards—identification of issuers—part 1: numbering system. http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=66011 (2015)
Juniper Research Limited.: Apple pay and HCE to push NFC payment users to more than 500 million by 2019. http://www.marketwired.com/press-release/apple-pay-hce-push-nfc-payment-users-more-than-500-million-2019-juniper-research-finds-1961558.htm (2014). Accessed at 2 Nov 2014
Kaspersky Lab.: Kaspersky Security Bulletin 2014. http://securelist.com/files/2014/12/Kaspersky-Security-Bulletin-2014-EN.pdf (2014)
Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2010). doi:10.1007/s11416-010-0148-y
Lindorfer, M., Kolbitsch, C., Milani Comparetti, P. Detecting environment-sensitive malware. In: Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection (RAID). Lecture Notes in Computer Science, vol. 6961, pp. 338–357. Springer, Berlin (2011). doi:10.1007/978-3-642-23644-0_18
Line, M.B., Zand, A., Stringhini, G., Kemmerer, R.: Targeted attacks against industrial control systems: is the power industry prepared? In: Proceedings of the 2nd Workshop on Smart Energy Grid Security (SEGS), SEGS ’14, pp. 13–22. ACM, New York (2014). doi:10.1145/2667190.2667192
Liu, K., Tan, H.B.K., Chen, X.: Binary code analysis. Computer 46(8), 60–68 (2013). doi:10.1109/MC.2013.268
de Looper, C.: Mobile payment boasts rosy future, but some obstacles remain in play. http://www.techtimes.com/articles/24762/20150106/mobile-payments-worth-130-billion-2020.htm (2015). Accessed 23 Jan 2015
Mitrokotsa, A., Rieback, M.R., Tanenbaum, A.S.: Classifying RFID attacks and defenses. Inform. Syst. Front. 12(5), 491–505 (2010). doi:10.1007/s10796-009-9210-z
Murdoch, S., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is broken. In: IEEE Symposium on Security and Privacy (SP), pp. 433–446 (2010). doi:10.1109/SP.2010.33
Murdoch, S.J., Anderson, R.: Security protocols and evidence: where many payment systems fail. In: Christin, N., Safavi-Naini, R. (eds.) Proceedings of the 18th international conference on financial cryptography and data security (FC). Lecture Notes in Computer Science, vol. 8437, pp. 21–32. Springer, Berlin (2014). doi:10.1007/978-3-662-45472-5_2
Oak, C.: The year 2014 was a tipping point for NFC payments. http://www.finextra.com/blogs/fullblog.aspx?blogid=10382 (2015). Accessed 15 Jan 2015
Oorschot, P.: Revisiting software protection. In: Boyd, C., Mao, W. (eds.) Proceedings of the 6th International Conference on Information Security (ISC). Lecture Notes in Computer Science, vol. 2851, pp. 1–13. Springer, Berlin (2003). doi:10.1007/10958513_1
PCI Security Standards Council.: PCI DSS applicability in an EMV environment—a guidance document. www.pcisecuritystandards.org/documents/pci_dss_emv.pdf (2010)
Rantos, K., Markantonakis, K.: Analysis of potential vulnerabilities in payment terminals. In: Markantonakis, K., Mayes, K. (eds.) Secure smart embedded devices, platforms and applications, pp. 311–333. Springer, New York (2014). doi:10.1007/978-1-4614-7915-4_13
Rieback, M., Crispo, B., Tanenbaum, A.: RFID malware: truth vs Myth. IEEE Secur. Priv. 4(4), 70–72 (2006). doi:10.1109/MSP.2006.102
de Ruiter, J., Poll, E.: Formal analysis of the EMV protocol suite. In: Mödersheim, S., Palamidessi, C. (eds.) Theory of Security and Applications, Lecture Notes in Computer Science, vol. 6993, pp. 113–129. Springer, Berlin (2012). doi:10.1007/978-3-642-27375-9_7
Sanders, R.: From EMV to NFC: the contactless trail? Card Technol. Today 20(3), 12–13 (2008). doi:10.1016/S0965-2590(08)70077-X
Sarkar, S., Mitra, S., Roy, A.: Point of sale vulnerabilities: solution approach. Tech. rep, Infosys (2014)
Smith, D.C.: Preventing point-of-sale system intrusions. Tech. rep, Naval Postgraduate School (2014)
Suarez-Tangil, G., Tapiador, J., Peris-Lopez, P., Ribagorda, A.: Evolution, detection and analysis of malware for smart devices. IEEE Commun. Surv. Tutor. 16(2), 961–987 (2014). doi:10.1109/SURV.2013.101613.00077
Symantec Security Response.: Attacks on point-of-sales systems. Tech. rep., Symantec. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/attacks_on_point_of_sale_systems.pdf (2014)
Trend Micro.: Point-of-sale system breaches: threats to the retail and hospitality industries. Tech. rep., Trend Micro Inc. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-system-breaches.pdf (2014)
Trustwave.: Combatting point-of-sale malware. Tech. rep., Trustware Holdings Inc. https://www.trustwave.com/Resources/Library/Documents/Combatting-Point-of-Sale-Malware/ (2014)
Ugarte-Pedrero, X., Balzarotti, D., Grueiro, I.S., Bringas, P.G.: SoK: deep packer inspection: a longitudinal study of the complexity of run-time packers. In: Proceedings of the 36th IEEE Symposium on Security and Privacy, pp. 659–673 (2015). doi:10.1109/SP.2015.46
Upendar, J., Rao, E.G.: An overview of plastic card frauds and solutions for avoiding fraudster transactions. Int. J. Res. Eng. Technol. 2(8), 215–222 (2013)
Vila, J., Rodríguez, R.J.: Practical experiences on NFC relay attacks with android: virtual pickpocketing revisited. In: Proceedings of the 11th International Workshop on RFID Security (RFIDsec). Lecture Notes in Computer Science, vol. 9440, pp. 87–103. Springer, Berlin (2015). doi:10.1007/978-3-319-24837-0_6
Walters, R.: Cyber attacks on US companies in 2014. The Heritage Foundation—National Security and Defense (4289), 1–5 (2014). http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014 (issue Brief)
Wang, Y.M., Roussev, R., Verbowski, C., Johnson, A., Wu, M.W., Huang, Y., Kuo, S.Y.: Gatekeeper: monitoring auto-start extensibility points (ASEPs) for spyware management. In: Proceedings of the 18th USENIX Conference on System Administration. LISA ’04, pp. 33–46. USENIX Association, Berkeley (2004)
Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: Proceedings of the 2003 ACM Workshop on Rapid Malcode (WORM). WORM ’03, pp. 11–18. ACM, New York (2003). doi:10.1145/948187.948190
Yan, W., Zhang, Z., Ansari, N.: Revealing packed malware. IEEE Secur. Priv. 6(5), 65–69 (2008). doi:10.1109/MSP.2008.126
Yaneza, J.: GamaPoS: the andromeda botnet connection. Tech. rep., Trend Micro. http://documents.trendmicro.com/assets/GamaPOS_TechnicalBrief1.pdf (2015)
Zetter, K.: TJX hacker gets 20 years in prison. http://www.wired.com/2010/03/tjx-sentencing/ (2010)
Acknowledgments
The author would like to thank Marc Rivero and Rubén Espadas, MLW.RE NPO, for providing malware samples, Xylitol for maintaining the thread in KernelMode forum of POS RAM scraping malware, and the anonymous referees for providing constructive comments and helping to improve the contents of this paper.
Author information
Authors and Affiliations
Corresponding author
Additional information
An erratum to this article is available at https://doi.org/10.1007/s11416-016-0285-z.
Rights and permissions
About this article
Cite this article
Rodríguez, R.J. Evolution and characterization of point-of-sale RAM scraping malware. J Comput Virol Hack Tech 13, 179–192 (2017). https://doi.org/10.1007/s11416-016-0280-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-016-0280-4