Today, news broke of yet more large-scale credit-card breaches at big-box stores, this time at Albertson's and Supervalu, grocery chains in the American west.
The breaches follow in the wake of other recent breaches at Target and Home Depot, all of which have one thing in common—the stealth tool the thieves used to steal the valuable card data.
In the world of hacking, every malicious tool has its heyday—that period when it rules the underground forums and media headlines and is the challenger keeping computer security pros on their toes.
Viruses and worms have each had their day in the spotlight. Remote-access Trojans, which allow a hacker to open and maintain a secret backdoor on infected systems, have had their reign as well. These days, though, point-of-sale RAM scrapers are what's making the news.
Attackers installed these RAM scrapers surreptitiously on the point-of-sale systems used to scan and process credit and debit card transactions at Albertson's and Supervalu. The tools make it easy to steal card numbers by the millions as they pass through the system.
RAM scrapers—used recently in the Target and Home Depot breaches to net the hackers data on more than 100 million bank cards collectively—are not new. VISA issued a warning to retailers about their use in 2008. But they've become increasingly sophisticated and efficient at stealing massive caches of cards. They've also become more ubiquitous as developer kits for building them—from a starter stub that is easily customized from a menu of features—have pushed scrapers into the mainstream and made them accessible to a wider swath of hackers. Need something to exfiltrate data from your victim's network to a server in Minsk? Check. Want a turnkey solution for managing your command-and-control server in Mumbai? The kits have got that covered, too.
RAM scrapers can be installed remotely on a Big-Box retailer's network and deployed widely to dozens of stores in a franchise.
There are more than a dozen RAM scrapers sold in the underground market these days. There's Dexter, Soraya, ChewBacca and BlackPOS to name a few. The latter gained notoriety for its starring role in the Target breach last year. Though all RAM scrapers operate in basically the same way, each comes with different features to distinguish them, as described in a recent TrendMicro report (.pdf) about the tools.
The Dexter scraper, for example, comes with a keystroke logger in addition to its card-stealing code so attackers can also steal valuable log-in credentials and proprietary secrets. ChewBacca opens a Tor connection from the victim's network to surreptitiously exfiltrate stolen data to the attacker's command server, which gets hosted at a Tor hidden services onion address.
RAM scrapers aren't the only tool for stealing card data, however. Skimmers that get installed on card readers at ATMs, gas stations and other payment terminals are still popular for grabbing card data and PINs. But these require an attacker to have physical access to the reader to install and retrieve the device, raising the risk that the attacker or his accomplices will get caught. RAM scrapers, by contrast, can be installed remotely on a Big Box retailer's network and deployed widely to dozens of stores in a franchise, without an attacker ever leaving his computer. They can also be deleted remotely to erase crucial evidence of the crime.
Security researchers first began seeing RAM scrapers in the wild in late 2007 after a set of standards known as the Payment Application Data Security Standard was implemented for card readers. The standards prohibited what was then a widespread practice of storing credit card data on point-of-sale terminals long after purchasing transactions were completed. The new standard, coupled with other changes stores made to transmit card data more securely, forced hackers to find alternative ways to grab the card data before it was secured. This turned out to be the random access memory in the point-of-sale systems. Here's a primer on how card systems and the scrapers works.
How Card Transactions Work
To process credit and debit card purchases, small restaurants and retailers use a card processor, a third-party company like Heartland Payment Systems, that receives the card data from retailers and sends it to the proper bank for authorization. Large retail and grocery chains that collect a lot of card transactions, however, act as their own processor: In their case, card transactions from each store in the chain get sent to a central processor on the corporate network, where the data is aggregated and routed to the proper destination for authorization.
Any business that allows customers to pay with a credit or debit card is also required to adhere to another set of standards known as the PCI security standards. Established by the top players in the payment card industry—VISA, MasterCard, Discover, American Express and JCB International—the standards require businesses to encrypt credit and debit card data any time it's stored on a business's network or crosses the public internet. The standards don't require companies to encrypt card data while it's in transit on the company's own network or as it's sent to an external processing company as long as the data is transmitted over a private network. But smart companies do secure these internal channels anyway to prevent intruders on their internal network from sniffing the data as it travels.
But even when companies encrypt data on their internal network, there are moments in the transaction process when the card data is exposed. During a brief period after the cards are first scanned, the account number and accompanying data sit in the POS system's memory unencrypted while the system determines where to send it for authorization. That's where the RAM scraper comes in.
Infecting a POS System
Getting a RAM scraper onto a point-of-sale system can be tricky. In some cases cyber criminals infect the systems via a phishing attack that gets employees of the retailer to click on a malicious file or visit a web site where malware is silently installed on their system. Once inside an employee's computer and inside the corporate network, the attackers can often work their way to the payment network, sniffing around for an administrator's credentials that will give them access to the prized network.
In some cases, the malware is installed with the help of an insider or via a backdoor left unsecured, as in the case of the hack of Jimmy John's restaurants. Something similar happened in Target's case, when the thieves reportedly got into the corporate network through credentials used by a heating and air conditioning firm that had access to a part of Target's network for billing purposes. From there, the attackers found their way into the payment network to install their scraper.
RAM scrapers can do a number of things to hide on a system and prevent their discovery. Some use custom packers to reduce their footprint and make it harder for antivirus scanners to examine their code. Some inject themselves into existing processes running on the network so that their malicious activity is obscured by the other process's legitimate activity.
How RAM Scrapers Work
Once on a targeted system, RAM scrapers work by examining the list of processes that are running on the system and inspecting the memory for data that matches the structure of credit card data, such as the account number, expiration date, and other information stored on a card's magnetic stripe. Some scrapers are efficient and grab only the golden numbers the attackers seek; others are more sloppy and grab a lot of dirt with their gold.
The scrapers usually encrypt and store the stolen data somewhere on the victim's network until the attackers can retrieve it remotely. Or they can program their scraper to send the encrypted data automatically over the internet at regular intervals, passing it through various proxy servers before it reaches its final destination.
This is how the Target attackers got their data. The intruders entered Target's network on November 27 last year, the day before Thanksgiving, and spent the next two weeks gorging on unencrypted credit and debit card data before the company discovered their presence.
The BlackPOS tool used in the Target breach can send stolen data to an FTP server, but it also comes with a built-in email client that can email data to the attackers. In the Target breach, it stored the stolen data in a text file on a Target system, then waited seven hours before copying it to a compromised server on the same network and sending it on to a remote FTP server outside the network. Exfiltrating batches of data in this way can be detected with the right tools in place, and in the case of Target it was detected. Six months before the breach, the company had installed a $1.6 million malware detection system that worked exactly as planned when the intruders began stealing their loot. It even issued multiple alerts for Target's security staff. But the security staff simply ignored them.
Given the spectacular success of RAM scrapers at stealing data from even the largest retail chains, the tools would seem to be unstoppable. But they're not.
RAM scrapers could be rendered obsolete if the PCI standards were modified to require companies to encrypt card data at the keypad, in the way PINs are already required to be encrypted—that is, from the moment they're entered on a keypad at a restaurant or grocery store, until the moment they arrive to a bank issuer for authorization. The data identifying the card issuer could then be decrypted when it reaches the processor to determine where to route the data for authorization, but the card account number and expiration would remain encrypted until it reaches the issuer. This would require new protocols be written for transmitting the data, however, since most card processors are not currently equipped to decrypt data in this way.
Another solution would be the adoption of EMV cards. Also known as "chip-and-PIN" cards, EMV cards have an embedded microchip that authenticates the card as a legitimate bank card to prevent hackers from embossing stolen card data onto blank cards to use it for fraudulent transactions. The chip contains the same data that traditionally is stored on a card's magnetic stripe, but also has a certificate used to digitally sign each transaction. Even if a thief steals the card data, he can't generate the code needed for a transaction without the certificate. EMV cards are already implemented widely in Europe and Canada, but roll out in the U.S. has been slow. To pressure U.S. companies into installing card readers needed to process EMV cards securely, VISA has announced a deadline of October 1, 2015. Any company that doesn't have EMV readers in place by then could face liability for fraudulent transactions that occur with card data stolen from them.
Another antidote to RAM scrapers could turn out to be Apple Pay. If Apple's new mobile payment system becomes widely adopted, it could dramatically reduce the number of cards scanned and processed in the traditional way, thereby limit the amount of card data a RAM scraper could grab. Apple Pay stores the card data in the iPhone's Passbook and submits only a device ID and a one-time transaction code to the merchant to authorize a payment, thereby never giving the merchant a card number. Though thieves could still go after the card data, they'd have to compromise it at its source—in the iPhone itself. But this would require compromising individual iPhones to get one or two card numbers at a time, rather than compromising one source to get millions of card numbers in a single hit.