POS malware, like RAM scrapers, are used to steal payment card data from POS systems. They work by grabbing card data stored temporarily in RAM during transactions and storing it for later retrieval. Industries like hospitality and retail that rely heavily on POS devices are common targets. To infect many POS systems at once, attackers may compromise a company's POS management server which can then infect systems across locations. Defenses include limiting remote access, enforcing strong passwords, restricting POS system use, and using two-factor authentication.

1. Understanding the POS (Point-of-sale) Malware
POS (Point-of-sale) Malware and payment card data breaches
Payment card data breaches have become an everyday crime. Today’s attackers are using
Point of Sale (POS) malware (different families of POS malware) to steal data from POS
systems. Industries that use POS devices are the obvious a target or victims of these
attacks. Hospitality and retail companies are the top targets, hardly surprising as that’s
where most POS devices are used. But other sectors, such as healthcare, also process
payments and are also at risk.
What is POS Malware and how does it steal payment card data?
POS malware (RAM Scraper) is a memory-scraping tool that grabs card data stored
temporarily in the RAM of a POS system during transactions at point-of-sale terminals, and
stores it on the victim’s own system for later retrieval.
The payment card industry has a set of data security standards to ensure that all companies
that process, store, or transmit credit card information maintain a secure environment
known as PCI-DSS (Payment Card Industry Data Security Standard). These standards
require end-to-end encryption of sensitive payment data when it is transmitted, received or
stored.
This payment data is decrypted in the POS’s RAM for processing, and the RAM is where the
scraper strikes.
For the PCI DSS requirements and overview visit here
POS RAM Scraping
Payment card data structure:
The magnetic stripe on the back of a payment card has three data tracks, but only tracks 1
and 2 are used as defined bythe International Organization for Standardization (ISO)/
International Electro Technical Commission (IEC) 7813
PAN and Luhn:
The data track of payment cards’ content PAN (Primary Account Number) is anywhere
between 16 and 19 digits long and has the following format:
MIII-IIAA-AAAA-AAAC

2. The first six digits are known as the “Issuer Identification Number” (IIN). Its first digit is
called the “Major Industry Identifier” (MII). Major card networks—Visa, MasterCard,
Discover, JCB®, AMEX, and others—all have unique IIN ranges that identify which
institution issued a card. A: Account number can be up to 12 digits, C: Check digit calculate
using the Luhn algorithm. All the valid credit card numbers must pass this Luhn validation
check.
How POS RAM Scraping works
POS RAM Scraper basically uses the regular expression (regex) to search and gather (i.e. to
parse) Tracks 1 and 2 credit card data from the process memory space in RAM. The
following is an example to parse Track1 data:
^%([A-Z])([0-9]{1,19})^([^^]{2,26})^([0-9]{4}|^)([0-
9]{3}|^)([^?]+)?$
The regex may gather some garbage value from the process memory space of RAM
depending on its accuracy. To avoid garbage value parsed by regex, some POS RAM
scrapers implement Luhn validation to check the card data gathered.
When the credit card is swiped in the POS system, the data stored on the card is copied into
the POS software’s process memory space in the RAM temporary for authentication and
processing for transaction of payment.
Here is where the POS RAM Scrapers starts its work: It retrieves the list of processes that
are running on the POS system and searches each process memory for card data. It
searches each and every process’ memory and retrieves Tracks 1 and 2 card data as per the
regex.
POS RAM Scrapers Variants:
The earlier variants of POS RAM Scrapers only included the following basic
functions:-
 Install a malware as a service
 Scan POS system process’s RAM for credit card Track 1 and Track two data
 Dump the results into a text file
 The text file was then probably accessed remotely or manually

3. As the time passes, the POS RAM Scraper is targeting more large organizations and has the
capability of performing the following functions:-
• Networking functions (for exfiltration of stolen card data to remote server using HTTP,
FTP, Tor, etc.)
• Encryption ( encrypt the stolen card data before exfiltrating)
• BOT and Kill Switch operation (can receive the commands from C&C server including
commands for uninstalling the malware)
• Multiple exfiltration techniques
Challenges for the attacker:
The big challenge for attackers in successfully gathering the data is to infect the POS system
with POS malware. There are many techniques that can be used by the attackers to infect
the POS system:
• Insider jobs
• Spamming or Phishing
• Social engineering
• Lateral movement from existing infections
• Vulnerability exploitation
• Abusing PCI DSS noncompliance
• And many other techniques to infect POS systems
Infecting POS Systems:
Today, many organizations using POS systems have branches in different geographic
locations. In these situations, organizations have POS management servers which manage
all POS systems present at different geographic locations.
The main aim of attackers is to compromise this management server from where it can
infect all the POS systems at different geographic locations. The attackers can compromise
this server by understanding the organization’s network structures, finding the weakness
and gaining access to networks by using the weakness. This can be done by using the above
mentioned techniques for infecting POS systems. After gaining access to the network,
attackers establish the communication with the C&C server and will perform the
reconnaissance on the organization’s network and collect the information that will help them
compromise the POS management server. Once they succeed in compromising the POS
management server, they start infecting the POS systems managed by this server.
Attackers will also set backdoors so that a command for removing the malware from POS
systems can be issued by C&C server for removing all the traces of the infection.

4. Prevention steps:
Restrict remote access: Limit remote access into POS systems by third-party companies.
Enforce strong password policies: PCI Compliance Report says that over 25% of
companies still use factory defaults.
Reserve POS systems for POS activities: Do not allow staff to use them to browse the
web, check email, or play games.
Use two-factor authentication: Stronger passwords would reduce the problem, but two-
factor authentication would be better.