Understanding the POS (Point-of-sale) Malware
POS (Point-of-sale) Malware and payment card data breaches
Payment card data breaches have become an everyday crime. Today’s attackers are using Point of Sale (POS) malware (different families of POS malware) to steal data from POS systems. Industries that use POS devices are the obvious a target or victims of these attacks. Hospitality and retail companies are the top targets, hardly surprising as that’s where most POS devices are used. But other sectors, such as healthcare, also process payments and are also at risk.
What is POS Malware and how does it steal payment card data?
POS malware (RAM Scraper) is a memory-scraping tool that grabs card data stored temporarily in the RAM of a POS system during transactions at point-of-sale terminals, and stores it on the victim’s own system for later retrieval.
The payment card industry has a set of data security standards to ensure that all companies that process, store, or transmit credit card information maintain a secure environment known as PCI-DSS (Payment Card Industry Data Security Standard). These standards require end-to-end encryption of sensitive payment data when it is transmitted, received or stored.
This payment data is decrypted in the POS’s RAM for processing, and the RAM is where the scraper strikes.
For the PCI DSS requirements and overview visit here
POS RAM Scraping
Payment card data structure:
The magnetic stripe on the back of a payment card has three data tracks, but only tracks 1 and 2 are used as defined bythe International Organization for Standardization (ISO)/ International Electro Technical Commission (IEC) 7813
PAN and Luhn:
The data track of payment cards’ content PAN (Primary Account Number) is anywhere between 16 and 19 digits long and has the following format:
The first six digits are known as the “Issuer Identification Number” (IIN). Its first digit is called the “Major Industry Identifier” (MII). Major card networks—Visa, MasterCard, Discover, JCB®, AMEX, and others—all have unique IIN ranges that identify which institution issued a card. A: Account number can be up to 12 digits, C: Check digit calculate using the Luhn algorithm. All the valid credit card numbers must pass this Luhn validation check.
How POS RAM Scraping works
POS RAM Scraper basically uses the regular expression (regex) to search and gather (i.e. to parse) Tracks 1 and 2 credit card data from the process memory space in RAM. The following is an example to parse Track1 data:
The regex may gather some garbage value from the process memory space of RAM depending on its accuracy. To avoid garbage value parsed by regex, some POS RAM scrapers implement Luhn validation to check the card data gathered.
When the credit card is swiped in the POS system, the data stored on the card is copied into the POS software’s process memory space in the RAM temporary for authentication and processing for transaction of payment.
Here is where the POS RAM Scrapers starts its work: It retrieves the list of processes that are running on the POS system and searches each process memory for card data. It searches each and every process’ memory and retrieves Tracks 1 and 2 card data as per the regex.
POS RAM Scrapers Variants:
The earlier variants of POS RAM Scrapers only included the following basic functions:-
- Install a malware as a service
- Scan POS system process’s RAM for credit card Track 1 and Track two data
- Dump the results into a text file
- The text file was then probably accessed remotely or manually
As the time passes, the POS RAM Scraper is targeting more large organizations and has the capability of performing the following functions:-
- Networking functions (for exfiltration of stolen card data to remote server using HTTP, FTP, Tor, etc.)
• Encryption (encrypt the stolen card data before exfiltrating)
• BOT and Kill Switch operation (can receive the commands from C&C server including commands for uninstalling the malware)
• Multiple exfiltration techniques
Challenges for the attacker:
The big challenge for attackers in successfully gathering the data is to infect the POS system with POS malware. There are many techniques that can be used by the attackers to infect the POS system:
- Insider jobs
• Spamming or Phishing
• Social engineering
• Lateral movement from existing infections
• Vulnerability exploitation
• Abusing PCI DSS noncompliance
• And many other techniques to infect POS systems
Infecting POS Systems:
Today, many organizations using POS systems have branches in different geographic locations. In these situations, organizations have POS management servers which manage all POS systems present at different geographic locations.
The main aim of attackers is to compromise this management server from where it can infect all the POS systems at different geographic locations. The attackers can compromise this server by understanding the organization’s network structures, finding the weakness and gaining access to networks by using the weakness. This can be done by using the above mentioned techniques for infecting POS systems. After gaining access to the network, attackers establish the communication with the C&C server and will perform the reconnaissance on the organization’s network and collect the information that will help them compromise the POS management server. Once they succeed in compromising the POS management server, they start infecting the POS systems managed by this server.
Attackers will also set backdoors so that a command for removing the malware from POS systems can be issued by C&C server for removing all the traces of the infection.
Restrict remote access: Limit remote access into POS systems by third-party companies.
Enforce strong password policies: PCI Compliance Report says that over 25% of companies still use factory defaults.
Reserve POS systems for POS activities: Do not allow staff to use them to browse the web, check email, or play games.
Use two-factor authentication: Stronger passwords would reduce the problem, but two-factor authentication would be better.
About The Author
Vijay lalwani– Security Analyst at Paladion Network