RAM Scrapers

A new flavor of malware is aiming at grabbing valuable data from memory in point-of-sale systems   Verizon Business Data Breach Investigation Report has included RAM scrapers in a recent list of the top data breach attack vectors and has prompted discussion about how much of a threat it poses.

A RAM scraper is identified in the report as a piece of customized malware created to grab credit card, PIN, and other confidential information out of a system’s volatile random access memory. The RAM-scraping breaches in Verizon’s report occurred in point-of-sale (POS) servers. RAM scraping is not really new, but Verizon flagged the emergent threat trend in POS devices as a tactical change.

The data in RAM is often easier to grab than at the reader or off of the computer’s hard disk.  Current PCI compliance standards require the end-to-end encryption of sensitive payment card data when being transmitted, received, or stored.  Unencrypted credit card data may be exposed during processing, remaining resident in the POS device’s RAM for a period of time.  That’s where the malware can capture the strings related to card identifiers rather than performing bulk data grabs, reducing the likelihood of detection.

One of the incidents Verizon Business’s RISK Team investigated was discovered as a result of a spike in credit card fraud reports coming from a casino: The RAM scraper itself wasn’t detected on the server.  The scraper dumped the card data to a file named dumper.dll in a Windows system subdirectory, where it waited for backdoor access and retrieval.

POS RAM scrapers enter systems that are either insufficiently protected, such as those that use default credentials, or that get compromised by trusted partners, according to the Verizon report.  Ram scrapers are typically a secondary infection agent, most often installed after a system has been compromised using some other primary attack method.  Backdoor access and command/control agents are common features of RAM scraper attacks.  Because this malware is typically customized for each attack, its signatures are less likely to be recognized by antivirus software.

The best way to detect a RAM scraper is via regular traffic and critical file monitoring and log analysis. Here are 10 tips for protecting against malware in general  and RAM scraping in particular, gleaned from the report:

  1. Make use of hardware AND software firewalls.
  2. Install and maintain antivirus software.
  3. Perform regular system maintenance, patching, logging, and complete reviews of POS systems.
  4. Regularly confirm the integrity of your intrusion detection systems.
  5. Monitor file integrity.  These files will often try to attach to real processes or system files.
  6. Monitor disk activity and watch out for file-creation in system and temporary subfolders.
  7. There is absolutely no excuse for default credentials on ANY computer, much less systems that process financial transactions.
  8. Bear in mind that end-to-end encryption doesn’t always include the clear-data processes happening at the end-points.
  9. Deny, if possible, admin-level credentials to POS and POS support vendors and reset vendor credentials and settings.
  10. Minimize and test data persistence in memory. Just because the specs say data persists for a millisecond doesn’t make it true.

While Verizon found POS systems to be at risk of RAM scraping in their report, the technique also lends itself to use against other systems’ volatile memory.  You may be surprised at how much data is sitting in the RAM of your network printers, for instance…