1. DEFENDING AGAINST POS RAM
SCRAPERS
Current and Next-Generation Technologies
Numaan Huq
Forward-Looking Threat Research Team
2. TREND MICRO LEGAL DISCLAIMER
The information provided herein is for general
information and educational purposes only. It is not
intended and should not be construed to constitute
legal advice. The information contained herein may
not be applicable to all situations and may not reflect
the most current situation. Nothing contained herein
should be relied on or acted upon without the benefit
of legal advice based on the particular facts and
circumstances presented and nothing herein should
be construed otherwise. Trend Micro reserves the
right to modify the contents of this document at any
time without prior notice.
Translations of any material into other languages
are intended solely as a convenience. Translation
accuracy is not guaranteed nor implied. If any
questions arise related to the accuracy of a
translation, please refer to the original language
official version of the document. Any discrepancies
or differences created in the translation are not
binding and have no legal effect for compliance or
enforcement purposes.
Although Trend Micro uses reasonable efforts to
include accurate and up-to-date information herein,
Trend Micro makes no warranties or representations
of any kind as to its accuracy, currency, or
completeness. You agree that access to and use
of and reliance on this document and the content
thereof is at your own risk. Trend Micro disclaims all
warranties of any kind, express or implied. Neither
Trend Micro nor any party involved in creating,
producing, or delivering this document shall be liable
for any consequence, loss, or damage, including
direct, indirect, special, consequential, loss of
business profits, or special damages, whatsoever
arising out of access to, use of, or inability to use,
or in connection with the use of this document, or
any errors or omissions in the content thereof. Use
of this information constitutes acceptance for use in
an “as is” condition.
CONTENTS
Introduction................................................................................................ii
What We Know About PoS RAM Scrapers so Far............................... 1
How Pos RAM Scrapers Work............................................................. 2
Points of Entry.................................................................................. 2
Lateral Movement............................................................................. 5
Data-Exfiltration Techniques............................................................. 5
How Data Security Standard Compliance Helps Protect Against
PoS RAM Scrapers.............................................................................. 7
PCI DSS........................................................................................... 7
PA DSS............................................................................................. 8
Third-Party Vendor Access Issues.................................................... 9
Defending Against PoS RAM Scrapers.............................................. 10
PoS Defense Model........................................................................ 10
Defensive Technologies and Strategies......................................... 10
Defense Recommendations for Companies................................... 19
Security Strategy Decisions........................................................ 19
Recommendations for Small Businesses................................... 20
Recommendations for Medium-Sized Businesses..................... 21
Recommendations for Enterprises............................................. 22
Will Next-Generation Payment Technologies Help?........................... 23
EMV................................................................................................ 23
Contactless RFID Credit Cards...................................................... 25
Mobile Wallets................................................................................ 26
New Payment-Processing Architectures........................................ 27
Encryption Plus Tokenization...................................................... 27
Secure Element.......................................................................... 28
Conclusion................................................................................................iii
References...............................................................................................iv
3. INTRODUCTION
In light of ongoing data breaches involving the
compromise of point-of-sale (PoS) systems, everyone
is asking two questions—“How do we better protect PoS
systems from attacks?” and “What new technologies
are being introduced to better protect them?”
Stealing payment card data has become an everyday
crime that yields quick monetary gains. Attackers aim
to steal data stored in the magnetic stripe of payment
cards, optionally clone the cards, and run charges
on the accounts associated with them. In the past,
attackers physically skimmed payment cards. [1] Today,
they have resorted to using malicious software to steal
payment card data, primarily from credit cards. They
found low-hanging fruits for grabs within the layered
payment card security framework—unencrypted credit
card data. They prey on vulnerable systems and
networks to get inside their targets’ networks. They
even compromise the networks of third-party vendors
who have access to better secured partner networks.
This research paper discusses how PoS RAM scrapers
infect systems and exfiltrate stolen data; provides
a list of defense technologies and strategies against
the threat, along with recommendations for small
businesses and medium and large enterprises; and
new technologies that PoS system vendors and credit
card brands are introducing to protect businesses and
consumers.
32. CONCLUSION
So what does the future hold for PoS RAM scraper
attacks?
As PoS RAM scrapers become more prominent threats,
big businesses will heavily invest in cybersecurity
to prevent attacks against their PoS environments.
Attackers will thus refocus on SMBs, as these may
not necessarily have the cybersecurity budgets that
enterprises have to prevent PoS system breaches. We
expect to see more SMBs get compromised, which will
collectively be a bigger breach than compromising a
few enterprises.
The rollout of new measures such as EMV and PCI
DSS ver. 3.0 compliance standards will significantly
change the PoS playing field for attackers. In the United
States, these measures are scheduled to come into
full effect by October this year. If there is a successful
nationwide rollout of the new measures, there will be a
decline in the number of PoS-related data breaches. As
businesses upgrade to new secure payment systems,
attackers will attempt to come up with new strategies
against improved systems and environments. It will
take attackers several months, possibly well into 2016,
before they can figure out how to breach upgraded
PoS environments.
In the meantime, attackers will find new ways to breach
the security of target companies via third-party vendors
who have access to their corporate networks. Third-
party vendors will be the weakest link in the chain
because they may not necessarily have the same level
of security as their corporate customers. PCI DSS ver.
3.0 compliance standards aim to strengthen third-party
vendors’ security requirements to minimize the risks
they pose to their corporate customers.
New payment technologies and compliance standards
aim to stop PoS system breaches. Their complete
deployment will successfully prevent a majority of the
PoS system attacks. But because easy money making
is involved, it is safe to assume that attackers will figure
out new breach strategies to compromise the security
of systems, businesses, and consumers. To date,
Bob Russo’s Statement for the Record, “Our work is
broad for a simple reason: there is no single answer
to securing payment card data. No one technology is
a panacea; security requires a multilayer approach
across the payment chain,” remains true. [66]
33. REFERENCES
[1] Brian Krebs. (10 October 2013). Krebs on Security. “Nordstrom
Finds Cash Register Skimmers.” Last accessed on 22 August 2014,
http://krebsonsecurity.com/2013/10/nordstrom-finds-cash-register-
skimmers/.
[2] ISO. (2014). ISO. “ISO/IEC 7813:2006: Information Technology—
Identification Cards—Financial Transaction Cards.” Last accessed
on 19 August 2014, http://www.iso.org/iso/home/store/catalogue_tc/
catalogue_detail.htm?csnumber=43317.
[3] Visa Inc. (2008). “Visa Data Security Alert: Debugging Software –
Memory Parsing Vulnerability.” Last accessed August 18, 2014, http://
usa.visa.com/download/merchants/debugging_software_memory.pdf.
[4] Numaan Huq. (September 2014). Trend Micro Security Intelligence.
“PoS RAM Scraper Malware: Past, Present, and Future.” Last accessed
on 11 December 2014, http://www.trendmicro.com/cloud-content/us/
pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.
pdf.
[5] Sara Peters. (4 September 2014). Dark Reading. “Backoff Not to Blame
for Goodwill Breach.” Last accessed on 17 February 2015, http://
www.darkreading.com/backoff-not-to-blame-for-goodwill-breach/d/d-
id/1306963.
[6] Sara Peters. (4 September 2014). Dark Reading. “Backoff Not to Blame
for Goodwill Breach.” Last accessed on 26 February 2015, http://
www.darkreading.com/backoff-not-to-blame-for-goodwill-breach/d/d-
id/1306963.
[7] Brian Krebs. (7 September 2014). Krebs on Security. “Home Depot Hit
by Same Malware as Target.” Last accessed on 11 December 2014,
http://krebsonsecurity.com/2014/09/home-depot-hit-by-same-malware-
as-target/.
[8] Jonathan Leopando. (9 September 2014). TrendLabs Security
Intelligence Blog. “Home Depot Breach Linked to BlackPOS Malware.”
Last accessed on 17 February 2015, http://blog.trendmicro.com/
trendlabs-security-intelligence/home-depot-breach-linked-to-blackpos-
malware/.
[9] Numaan Huq. (4 December 2014). TrendLabs Security Intelligence
Blog. “Planes, Trains, and Automobiles—Are You Safe from PoS
Malware Anywhere?” Last accessed on 11 December 2014, http://
blog.trendmicro.com/trendlabs-security-intelligence/planes-trains-
automobiles-are-you-safe-from-pos-malware-anywhere/.
[10] Anthony Joe Melgarejo. (27 November 2014). TrendLabs Security
Intelligence Blog. “New PoS Malware Kicks Off Holiday Shopping
Weekend.” Last accessed on 17 February 2015, http://blog.trendmicro.
com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-
shopping-weekend/.
34. [11] Eduard Kovacs. (3 December 2014). Security Week. “New ‘LusyPOS’
Malware Uses Tor for C&C Communications.” Last accessed on 17
February 2015, http://www.securityweek.com/new-lusypos-malware-
uses-tor-cc-communications.
[12] PC World. “New Point-of-Sale Malware on Underground Markets for
$2,000.” Last accessed on 11 December 2014, http://www.pcworld.com/
article/2854092/new-pointofsale-malware-on-underground-markets-
for-2000.html.
[13] Jim Gogolinski. (9 December 2014). TrendLabs Security Intelligence
Blog. “Insider Threats 101: The Threat Within.” Last accessed on
17 December 2014, http://blog.trendmicro.com/trendlabs-security-
intelligence/insider-threats-101-the-threat-within/.
[14] Trend Micro Incorporated. (2015). Trend Micro Security Intelligence.
“Magnified Losses, Amplified Need for Cyber-Attack Preparedness:
TrendLabs 2014 Annual Security Roundup.” Last accessed on 25
February 2015, http://www.trendmicro.com/cloud-content/us/pdfs/
security-intelligence/reports/rpt-magnified-losses-amplified-need-for-
cyber-attack-preparedness.pdf.
[15] PCI Security Standards Council. “About Us.” PCI Security Standards
Council. Last accessed on 18 December 2014, https://www.
pcisecuritystandards.org/organization_info/index.php.
[16] Trend Micro Incorporated. (2013). Trend Micro Security Intelligence.
“Lateral Movement: How Do Threat Actors Move Deeper into Your
Network?” Last accessed on 16 December 2014, http://about-
threats.trendmicro.com/cloud-content/us/ent-primers/pdf/tlp_lateral_
movement.pdf.
[17] PCI Security Standards Council. (October 2010). “Payment Card
Industry (PCI): Payment Application Data Security Standard.” Last
accessed on 18 December 2014, https://www.pcisecuritystandards.org/
documents/pa-dss_v2.pdf.
[18] Margaret Rouse. (2015). TechTarget. “PA-DSS (Payment Application
Data Security Standard).” Last accessed on 18 December 2014, http://
searchsecurity.techtarget.com/definition/PA-DSS-Payment-Application-
Data-Security-Standard.
[19] PCI Security Standards Council. (7 November 2013). “PCI Council
Publishes PCI DSS and PA DSS Ver. 3.0.” Last accessed on 18
December 2014, https://www.pcisecuritystandards.org/pdfs/13_11_06_
DSS_PCI_DSS_Ver._3_0_Press_Release.pdf.
[20] IBM. (2015). IBM Knowledge Center. “Addressing the PCI Data
Security Standard Within WebSphere Commerce.” Last accessed on
20 February 2015, http://www-01.ibm.com/support/knowledgecenter/
SSZLC2_7.0.0/com.ibm.commerce.pci.doc/concepts/csepcireqs.htm.
[21] PCI ComplianceGuide.org. (2014). PCI ComplianceGuide.org.
“PCI FAQs.” Last accessed on 17 December 2014, https://www.
pcicomplianceguide.org/pci-faqs-2/.
[22] DalPay. (2015). DalPay. Last accessed on 18 February 2015, https://
www.dalpay.com/en/support/card_security_code.html.
[23] John Leyden. (17 December 2014). The Register. “Can’t Stop Home-
Depot-Style Card Pwning, but Suppliers Will Feel PCI Regulation
Pain.” Last accessed on 18 December 2014, http://www.theregister.
co.uk/2014/12/17/pci_revamp_after_target_home_depot_breach/.
[24] Brian Prince. (14 January 2015). Security Week. “Park ʼN Fly Confirms
Data Breach Impacting E-Commerce Customers.” Last accessed on 18
35. February 2015, http://www.securityweek.com/park-n-fly-confirms-data-
breach-impacting-e-commerce-customers.
[25] Troy Leach and Christopher Strand. (23 December 2014). Dark Reading.
“How PCI DSS 3.0 Can Help Stop Data Breaches.” Last accessed on
6 January 2015, http://www.darkreading.com/risk/compliance/how-pci-
dss-30-can-help-stop-data-breaches/a/d-id/1318306.
[26] QuinStreet Inc. (2105). Webopedia. “ACL—Access Control List.” Last
accessed on 31 December 2014, http://www.webopedia.com/TERM/A/
ACL.html.
[27] NSS Labs Inc. (8 November 2012). “NSS Labs Announces Analyst
Coverage and New Group Test for Breach Detection Systems.” Last
accessed on 31 December 2014, https://www.nsslabs.com/news/press-
releases/nss-labs-announces-analyst-coverage-and-new-group-test-
breach-detection-systems.
[28] Michael Kassner. (12 August 2013). TechRepublic. “Breach Detection
Systems Take Aim at Targeted Persistent Attacks.” Last accessed on 19
February 19, 2015, http://www.techrepublic.com/blog/it-security/breach-
detection-systems-take-aim-at-targeted-persistent-attacks/.
[29] TechTarget. (2015). WhatIs.com. “Data Loss Prevention (DLP).” Last
accessed on 19 February 2015, http://whatis.techtarget.com/definition/
data-loss-prevention-DLP.
[30] Meg Coffin Murray. (2010). Journal of Information Technology Education.
“Database Security: What Students Need to Know.” Last accessed
on 19 February 2015, http://jite.org/documents/Vol9/JITEv9IIPp061-
077Murray804.pdf.
[31] Privacy Rights Clearinghouse. (2015). PRC. “Chronology of Data
Breaches.” Last accessed on 5 January 2015, https://www.privacyrights.
org/data-breach/new.
[32] Trend Micro Incorporated. (2015). Trend Micro. “Device Control.” Last
accessed on 31 December 2014, http://docs.trendmicro.com/all/ent/
officescan/v10.0/en-us/osce_10.0_olhsrv/osceag/osceag-scan/device_
control.htm.
[33] Margaret Rouse. (November 2014). TechTarget. “Encryption.” Last
accessed on 19 February 2015, http://searchsecurity.techtarget.com/
definition/encryption.
[34] Margaret Rouse. (January 2012). TechTarget. “Endpoint Security
Management.” Last accessed on 31 December 2014, http://
searchconsumerization.techtarget.com/definition/endpoint-security-
management.
[35] Infosec Institute. (18 July 2014). Infosec Institute. “File Integrity
Monitoring (FIM) and PCI DSS.” Last accessed on 19 February 2015,
http://resources.infosecinstitute.com/file-integrity-monitoring-fim-pci-
dss/.
[36] Vangie Beal. (2015). Webopedia. “Firewall.” Last accessed on 19
February 2015, http://www.webopedia.com/TERM/F/firewall.html.
[37] SANS Institute. (2004). SANS Institute InfoSec Reading Room.
“Understanding IPS and IDS: Using IPS and IDS Together for Defense
in Depth.” Last accessed on 19 February 2015, https://www.sans.org/
reading-room/whitepapers/detection/understanding-ips-ids-ips-ids-
defense-in-depth-1381.
[38] Education Portal. (2015). Education Portal. “Network Security Specialist:
Job Description and Requirements.” Last accessed on 3 January 2015,
http://education-portal.com/articles/Network_Security_Specialist_Job_
36. Description_and_Requirements.html.
[39] Frank Ohlhorst. (1 March 2013). Information Week. “Next-Generation
Firewalls 101.” Last accessed on 19 February 2015, http://www.
networkcomputing.com/careers-and-certifications/next-generation-
firewalls-101/a/d-id/1234097?.
[40] Margaret Rouse. (June 2014). TechTarget. “Unified Threat
Management (UTM).” Last accessed on 19 February 2015, http://
searchmidmarketsecurity.techtarget.com/definition/unified-threat-
management.
[41] Andrew Plato. (25 September 2012). Anitian Blog. “UTM V NGFW—A
Single Shade of Grey.” Last accessed on 31 December 2014, https://
blog.anitian.com/utm-v-ngfw-a-single-shade-of-gray/.
[42] Sam Erdheim. (19 February 2013). Algosec. “State of the Firewall—
UTM Vs. NGFW.” Last accessed on 31 December 2014, http://blog.
algosec.com/2013/02/state-of-the-firewall-utm-vs-ngfw.html.
[43] Brian Reed. (30 January 2012). Firewalls.com. “UTM Firewalls Versus
Next-Generation Firewalls.” Last accessed on 31 December 2014,
http://www.firewalls.com/blog/utm_firewall_vs_ng_firewall/.
[44] Jason M. Ragland. (8 January 2015). The University of Texas
at Austin. “Windows 2008R2 Server Hardening Checklist.” Last
accessed on 31 December 2014, https://wikis.utexas.edu/display/ISO/
Windows+2008R2+Server+Hardening+Checklist.
[45] TechTarget. (April 2013). WhatIs.com. “Virtual Patching.” Last accessed
on 31 December 2014, http://whatis.techtarget.com/definition/virtual-
patching.
[46] Margaret Rouse. (May 2011). TechTarget. “Pen Test (Penetration
Testing)” Last accessed on 2 January 2015, http://searchsoftwarequality.
techtarget.com/definition/penetration-testing.
[47] Margaret Rouse. (December 2014). TechTarget. “Security Information
and Event Management (SIEM).” Last accessed on 19 February 2015,
http://searchsecurity.techtarget.com/definition/security-information-and-
event-management-SIEM.
[48] Margaret Rouse. (September 2005). TechTarget. “Two-Factor
Authentication (2FA).” Last accessed on 3 January 2015, http://
searchsecurity.techtarget.com/definition/two-factor-authentication.
[49] Margaret Rouse. (October 2014). TechTarget. “Virtual Machine.” Last
accessed on 19 February 2015, http://searchservervirtualization.
techtarget.com/definition/virtual-machine.
[50] Tom Gara. (6 February 2014). The Wall Street Journal. “October 2015:
The End of the Swipe-and-Sign Credit Card.” Last accessed on 13
January 2015, http://blogs.wsj.com/corporate-intelligence/2014/02/06/
october-2015-the-end-of-the-swipe-and-sign-credit-card/.
[51] Robin Sidel. (4 January 2015). The Wall Street Journal. “Why New
Credit Cards May Fall Short on Fraud Control.” Last accessed on 13
January 2015, http://www.wsj.com/articles/why-new-credit-cards-may-
fall-short-on-fraud-control-1420423917.
[52] Home Depot. (6 November 2014). FAQs. “November 6th Email
Announcement.” Last accessed on 14 January 2015, https://corporate.
homedepot.com/MediaCenter/Documents/FAQs.pdf.
[53] Lysa Myers. (3 April 2014). WeLiveSecurity. “What Is EMV, and Why Is
It Such a Hot Topic?” Last accessed on 14 January 2015, http://www.
welivesecurity.com/2014/04/03/what-is-emv-and-why-is-it-such-a-hot-
37. topic/.
[54] Brian Krebs. (14 October 2014). Krebs on Security. “‘Replay’ Attacks
Spoof Chip Card Charges.” Last accessed on 14 January 2015, http://
krebsonsecurity.com/2014/10/replay-attacks-spoof-chip-card-charges/.
[55] Steven Murdoch, Saar Drimer, Ross Anderson, and Mike Bond. (25 July
2014). “Chip and PIN Is Broken.” Last accessed on 14 January 2015,
http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf.
[56] Level_admin. (31 January 2011). Level2Kernel Blog. “Contactless Card
Payment Specifications.” Last accessed on 14 January 2015, http://
blog.level2kernel.com/contactless-card-payment-specifications/.
[57] Andy Greenberg. (30 January 2012). Forbes. “Hacker’s Demo Shows
How Easily Credit Cards Can Be Read Through Clothes and Wallets.”
Last accessed on 15 January 2015, http://www.forbes.com/sites/
andygreenberg/2012/01/30/hackers-demo-shows-how-easily-credit-
cards-can-be-read-through-clothes-and-wallets/.
[58] NFC Admin. (2 April 2012). Near Field Communication and Mobile
Technology Provided by Professionals. “How to Read a Contactless
Credit Card Such as Visa payWave or MasterCard PayPass.” Last
accessed on 15 January 2015, http://www.nfc.cc/2012/04/02/android-
app-reads-paypass-and-paywave-creditcards/.
[59] Forthwrite Media SARL and NFC Times. (2013). NFC Times. “Japan:
DoCoMo Drives Nationwide Rollout of Contactless Wallet Phones.”
Last accessed on 15 January 2015, http://nfctimes.com/project/japan-
docomo-drives-nationwide-rollout-contactless-wallet-phones.
[60] Smart Card Alliance. (2015). Smart Card Alliance. “NFC Frequently
Asked Questions.” Last accessed on 15 January 2015, http://www.
smartcardalliance.org/publications-nfc-frequently-asked-questions/.
[61] Sharon Profis. (5 September 2014). CNET. “Everything You Need
to Know About NFC and Mobile Payments.” Last accessed on 15
January 2015, http://www.cnet.com/how-to/how-nfc-works-and-mobile-
payments/.
[62] Smart Card Alliance. (October 2014). “Technologies for Payment Fraud
Prevention: EMV, Encryption, and Tokenization.” Last accessed on 15
January 2015, http://www.smartcardalliance.org/wp-content/uploads/
EMV-Tokenization-Encryption-WP-v51-102414-FINAL-clean.pdf.
[63] Eurotechnology Japan. (18 September 2014). Eurotechnology Japan.
“ApplePay Vs. Osaifu-Keitai.” Last accessed on 15 January 2015, http://
www.eurotechnology.com/2014/09/18/applepay-vs-osaifu-keitai-cnbc/.
[64] Intel Corporation. (October 2014). Intel. “Intel Data ProtectionTechnology
for Transactions.” Last accessed on 17 January 2015, http://www.
intel.com/content/www/us/en/embedded/technology/security/secure-
payment-transactions/overview.html.
[65] Intel Corporation. (October 2014). Intel. “Video: Intel Data Protection
Technology for Transactions.” Last accessed on 17 January 2015, http://
www.intel.com/content/www/us/en/embedded/technology/security/
secure-payment-transactions/overview-video.html.
[66] Bob Russo. (4 March 2014). “Statement for the Record: Can
Technology Protect Americans from International Cybercriminals?”
Last accessed on 14 January 2015, https://www.pcisecuritystandards.
org/pdfs/PCI_-_House_Science_Committee_Testimony_%28Bob_
Russo%29_3-4-14_-_Final.pdf.