A RAM scrapping attack is a type of digital attack which implants malware in a point-of-sale (POS) terminal to steal consumer credit card information.
Nowadays, RAM Scrapping is known as a banking trojan.
2. RAM
Scrapping
Malware (POS
Malware)
A RAM scraping malware in a point-of-sale (POS) terminal to steal
consumer credit card information.
targetsWindows based POS terminals and network hub machines.
Once installed, this threat silently steals customer credit card data
by effectively turning the POS machine’s own card reader into a
virtual credit card skimmer.
3. How RAM
Scrappers
work?
1. Attackers installed these RAM scrapers surreptitiously on
the point-of-sale systems used to scan and process credit
and debit card transactions.
2. Credit card contain 2 sets of information.
a) Magnetic stripe – 2 tracks track 1-> contain account
number, cardholder’s name , expiration date and other
data.
b) CVV number at backside
3. Are held in memory of POS terminal until it is periodically
purged.
4. How RAM
Scrappers
work?
4. RAM Scrapper targets POS terminal get this unencrypted data.
5. Checks running processes in POS systems
Pos.exe
Pos32.exe
6. Take dump of these processes
6. Recommendations
PoS system operators should follow security best practices to
improve their overall system security posture. A few tips are
provided below.
HARDWARE BASED
Install ideally multitier hardware firewalls to protect networks.
Deploy breach detection systems (BDSs) to detect targeted
attacks.
Deploy intrusion detection and prevention systems (IDPSs) to
scan inbound and outbound traffic.
Incorporate two-factor authentication for remote network access
among employees, administrators, and third parties.
Implement point-to-point encryption.
7. Recommendations
SOFTWARE BASED
Install ideally multitier software firewalls to protect networks.
Change default passwords, configurations, and encryption keys. Use
strong passwords.
Eliminate unnecessary ports, accounts, services, scripts, drivers,
features, subsystems, file systems,Web servers, and protocols.
If remote access is not required, disable it.
Implement point-to-point encryption.
Encrypt communications between applications and data.
Deploy the latest version of OSs and regularly apply patches.
Regularly apply updates to installed software.
Restrict access to the Internet on PoS systems.
Put a mechanism in place to identify if and when system components
change.
Set up PoS systems to automatically reimage every 24 hours.
8. Recommendations
POLICY BASED
Enforce strict policies regarding physical PoS system repairs and
upgrades.
Routinely delete stored cardholder data.
Restrict access to the Internet on PoS systems.
Implement log and audit trails on PoS systems.
Limit internal physical access to PoS systems.
TOOLS
Trusted Knight:Protector
SecureBox solution by comodo