Skip to content

Target, Neiman Marcus card data thefts, RAM scraper malware, and you

target-logoData theft from retailers is making the headlines a lot this month, after luxury retailer Neiman Marcus disclosed that it, along with Target, had suffered a major data breach during the holiday shopping season before Christmas. According to media reports, other retailers were targeted too, and the FBI is warning retail stores to be on the lookout for more cyber attacks.

Our experts have been following the story. Over at Naked Security, Paul “Duck” Ducklin reports that the malware used in the Target data breach was loaded into point-of-sale (POS) terminals, where unencrypted credit card numbers were skimmed. From there, the data is whisked off to be sorted into bundles and put up for sale on the black market, and printed onto phony cards used by crooks to buy goods at stores.

RAM scraper malware

After Target’s CEO admitted that the malware behind the massive data breach was found on POS registers in Target stores, Duck explained that POS malware called a RAM scraper scoops up the unencrypted card data during the split-second when it’s vulnerable: while it’s being processed at the register.

“RAM scraping works because payment card data is often also unencrypted in memory (RAM) in the POS register, albeit briefly,” Duck writes at Naked Security.

One of our researchers at SophosLabs, Numaan Huq, has been tracking the development of RAM scraper malware used in credit and debit card data thefts. Numaan writes at Naked Security that this type of malware has been around for a while.

According to our research, RAM scrapers go back as far as 2009, but they have become more sophisticated and professionalized. SophosLabs detects this kind of malware under the family name Trackr (e.g., Troj/Trackr-Gen, Troj/Trackr-A).

“One of the earliest serious POS RAM scraper attacks that we observed was back in November 2011 when we found that a university and several hotels had their POS systems compromised,” Numaan writes. “Later we saw varied targets including an auto dealership in Australia infected with Trackr.”

Credit card risk

After two people in Texas were arrested for using fraudulent credit cards with numbers stolen from the Target financial data breach, some might have felt relief that police had found the bad guys. According to police, two crooks nabbed at the U.S.-Mexican border used cards containing stolen account information from Target shoppers in South Texas to purchase goods at national retailers in the area.

But the two alleged crooks were only pawns in this cyber scheme, the final actors in a scam that starts with a virus planted on a POS register and ends up costing customers in fraudulent charges; and in the case of these two crooks, possibly their freedom. The chess masters behind the scheme will be much harder to track down.

As Chet Wisniewski, Senior Security Advisor at Sophos, explained in an interview with the Associated Press, the hackers who created the malware used in the Target attack are at little risk of being busted. “Keep in mind, it isn’t illegal to write these kind of codes, just to use them,” Chet says. “And selling [malware] is a lot less risky than taking [stolen] cards into an Apple store.”

Keeping safe

It’s a scary thought that anyone who uses a credit card or debit card is at risk of data theft and fraud. However, the same is true of anyone who uses a computer, mobile device, or other connected device.

Our security experts at SophosLabs and Naked Security are always on duty to offer security tips and advice. But one of the best pieces of advice we can give is ever-green: Everyone should follow computer security best practices. And consumers should proactively monitor their accounts so they don’t becomes victims of credit or identity theft.

If you’re interested in learning more about RAM scrapers, watch this space. Chet and Numaan will be delivering a joint paper on the topic at the 2014 RSA security conference in San Francisco in February.

10 Comments

Leave a Reply to What’s the deal with the Home Depot data breach? | Sophos Blog Cancel reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!