Monday, 20 January 2014

How RAM Scraper Malware Stole Data from Target, Neiman Marcus

ThreatTrack Security Malware Analysts While Target is still keeping mum on how attackers managed to breach its network and hoover up information belonging to more than 70 million shoppers, we now know that RAM scraping malware was used in the attack.
"We don't know the full extent of what transpired, but what we do know is that there was malware installed on our point-of-sale registers. That much we've established," Target CEO Gregg Steinhafel said in an interview with CNBC discussing the recent breach. The company initially said payment card information for 40 million people who shopped at one of its retail outlets over the holiday season were compromised. Target said last week that personal information for 70 million people were also stolen, and that any shopper who came to the stores in all of 2013 were at risk.
Unnamed sources told Reuters over the weekend that the malware used in the attack was a RAM scraper. A RAM scraper is a specific type of malware which targets information stored in memory, as opposed to information saved on the hard drive or being transmitted over the network. While this class of malware is not new, security experts say there has been a recent uptick in the number of attacks against retailers using this technique.
Attacking MemoryRAM scrapers look inside the computer's memory to grab sensitive data while it is being processed. Under current Payment Card Industry-Data Security Standard (PCI-DSS) rules, all payment information must be encrypted when it is stored on the PoS system as well as when it is being transferred to back-end systems. While attackers can still steal the data from the hard drive, they can't do anything with it if it is encrypted, and the fact that the data is encrypted while traveling over the network means attackers can't sniff the traffic to steal anything.
This means there is only a small window of opportunity—the instant when the PoS software is processing the information—for attackers to grab the data. The software has to temporarily decrypt the data in order to see the transaction information, and the malware seizes that moment to copy the information from memory.
The rise in RAM-scraping malware can be tied to the fact that retailers are getting better at encrypting sensitive data. "It's an arms race. We throw up a roadblock and the attackers adapt and look for other ways to grab the data," said Michael Sutton, vice-president of security research at Zscaler.
Just Another MalwareIt's important to remember that point-of-sale terminals are essentially computers, albeit with peripherals such as card readers and keypads attached. They have an operating system and run software to handle the sales transactions. They are connected to the network to transfer transaction data to back-end systems.
And just like any other computer, PoS systems can be infected with malware. "Traditional rules still apply," said Chester Wisniewski, a senior security advisor at Sophos. The PoS system can be infected because the employee used that computer to go to a Web site hosting the malware, or accidentally opened up a malicious attachment to an email. The malware could have exploited unpatched software on the computer, or any of the many methods that result in a computer getting infected.
"The less privilege the store workers have on the point-of-sale terminals, the less likely they will get infected," Wisniewski said. Machines that process payments are extra-sensitive and should not allow Web surfing or installation of unauthorized applications, he said.
Once the computer is infected, the malware searches for specific types of data in memory—in this case, credit and debit card numbers. When it finds the number, it saves it to a text file containing the list of all the data it has already collected. At some point, the malware then sends the file—usually over the network—to the attacker's computer.
Anyone Is a TargetWhile retailers are currently a target for memory parsing malware, Wisniewski said any organization handling payment cards would be vulnerable. This type of malware was initially used in the hospitality and education sectors, he said. Sophos refers to RAM scrapers as the Trackr Trojan, and other vendors call them Alina, Dexter, and Vskimmer.
In fact, RAM scrapers aren't specific to just PoS systems. The cyber-criminals can package up the malware to steal data in any situation where the information is usually encrypted, Sutton said.
Visa issued two security alerts in April and August last year warning merchants of attacks using memory-parsing PoS malware. "Since January 2013, Visa has seen an increase in network intrusions involving retail merchants," Visa said in August.
It's not clear how the malware got onto Target's network, but it's clear something failed. The malware wasn't installed on just one PoS system, but on many computers around the country, and "no one noticed," Sutton said. And even if the malware was too new for antivirus to detect it, the fact that it was transferring data out of the network should have raised red flags, he added.
For the individual shopper, not using credit cards is not really an option. This is why it is important to regularly monitor the statements and track all transactions on their accounts. "You have to trust the retailers with your data, but you can also stay vigilant," Sutton said.

No comments:

Post a Comment