RAM Scrapper POS Malware Plaguing U.S. Retailers for Years

Sophos security researchers detail the retail malware threat landscape and explain how Canada has nearly eliminated retail credit card fraud.

security breach

Malware known as "RAM scraper" software routinely infiltrates retail environments and steals information, according to researchers from security firm Sophos.

In a session titled "Buy Candy, Lose Your Credit Card—Investigating POS RAM Scraping Malware" late last month at the RSA Conference, Chester Wisniewski, senior security advisor at Sophos, detailed the current risk landscape for retail malware.

In an interview with eWEEK, Wisniewski noted that when he submitted his topic to the RSA Conference in June 2013, it was well before the disclosures by Target and Neiman Marcus about data breaches. Target first revealed it was the victim of a data breach Dec. 19 and Neiman Marcus disclosed its breach Jan. 13.

Wisniewski said that while the Target and Neiman Marcus breaches have increased the interest in retail malware, including RAM scrapers, the issue has been ongoing for the last several years.

"Looking back five years ago, we didn't see this kind of stuff, as that was when standards like PCI DSS [Payment Card Industry Data Security Standard] were just getting started," Wisniewski said. "In order to steal credit card [information] back then, all you had to do was infect a computer with an everyday regular PC virus and get the excel spreadsheet that had all the information in it."

Wisniewski asserted that five years ago, most organizations did not have proper controls to protect credit card data. Once PCI DSS came into play, security controls making it more difficult for attackers to steal information came in to play. Starting in 2010, Wisniewski said that the first real incident of RAM scraper malware was reported to be attacking credit card data. RAM scraper malware skims through memory on point-of-sale (POS) devices looking for credit card information that it can steal. That information is then encrypted to a file that the attacker is able to access.

In 2011, Wisniewski said that Sophos started seeing RAM scraper malware more commonly in its own security investigations, particularly in the hospitality industry across major hotel chains.


Wisniewski said that he has yet to actually be able to definitely prove how RAM scraper malware gets onto systems. "We believe that, in nearly every instance, it comes in via a phishing email," Wisniewski said. "It's usually a poisoned attachment."

In one case that Sophos investigated, an employee at the hotel chain actually installed the malware after being bribed by an attacker, Wisniewski said. The other common factor in the retail breaches that Sophos has investigated is the use of a Microsoft Windows operating system for payment card transaction processing.

"One of our recommendations is for organizations to move away from using a magnetic stripe reader hooked up to an embedded Windows XP point-of-sale machine," Wisniewski said.

Wisniewski recommends that retailers use POS terminals that connect directly with a payment processor service to solve the malware problem. In his view, RAM scraper malware is not infecting the actual POS terminals, but is infecting the Windows machines they connect with.

With chip and PIN credit cards, payment processing is always done with a payment processor and not a Windows PC, which is also why Wisniewski recommends moving away from magnetic stripes for credit card use in the United States.

Wisniewski noted that in Canada, where he is based, retailers have all shifted to chip and PIN with great results.

"All Canadian retailers have moved to having their point-of -sale terminals communicate directly with the payment processor rather than going through a PC," Wisniewski said. "That has eliminated almost all of the retail card fraud in Canada."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.