Top

Journal of Computer Virology and Hacking Techniques

Published in:

26-05-2016 | Original Paper

Evolution and characterization of point-of-sale RAM scraping malware

Author: Ricardo J. Rodríguez

Published in: Journal of Computer Virology and Hacking Techniques | Issue 3/2017

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Credit and debit cards are becoming the primary payment method for purchases. These payments are normally performed in merchant’s in-store systems as known as Point-of-Sale (POS) systems. Since these systems handle payment card data while processing the customer transactions, they are becoming a primary target for cybercriminals. These data, when remain at memory, are scraped and exfiltrated by specially crafted malicious software named POS RAM scraping malware. In recent years, large data breaches occurred in well-known US retail companies were caused by this kind of malware. In this paper, we study the features of these malware based on their behavior on different stages: infection and persistence, process and data of interest search, and exfiltration. Then, we classify samples of 22 known POS RAM scraping malware families from 2009 to 2015 according to these features. Our findings show these malware are still immature and use well-defined behavioral patterns for data acquirement and exfiltration, which may make their malicious activity easily detectable by process and network monitoring tools.

previous article MalwareHunt: semantics-based malware diffing speedup by normalized basic block memoization

next article Impeding behavior-based malware analysis via replacement attacks to malware specifications

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

See https://msdn.microsoft.com/en-us/library/windows/desktop/ms684839(v=vs.85).aspx for details.

Adida, B., Bond, M., Clulow, J., Lin, A., Murdoch, S., Anderson, R., Rivest, R.: Phish and chips. In: Christianson, B., Crispo, B., Malcolm, J., Roe, M. (eds.) Proceedings of the 14th International Workshop on Security Protocols. Lecture Notes in Computer Science, vol. 5087, pp. 40–48. Springer, Berlin (2009). doi:10.1007/978-3-642-04904-0_7

Anderson, R., Murdoch, S.J.: EMV: why payment systems fail. Commun. ACM 57(6), 24–28 (2014). doi:10.1145/2602321 CrossRef

Bodhani, A.: Turn on, log in, checkout. Eng. Technol. 8(3), 60–63 (2014). doi:10.1049/et.2013.0308 CrossRef

Bond, M., Choudary, O., Murdoch, S., Skorobogatov S, Anderson, R.: Chip and skim: cloning EMV cards with the pre-play attack. In: IEEE Symposium on Security and Privacy (SP), pp. 49–64 (2014). doi:10.1109/SP.2014.11

Bond, M., Choudary, M., Murdoch, S., Skorobogatov, S., Anderson, R.: Be prepared: the EMV preplay attack. IEEE Secur. Priv. 13(2), 56–64 (2015). doi:10.1109/MSP.2015.24 CrossRef

Borello, J.M., Mé, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008). doi:10.1007/s11416-008-0084-2 CrossRef

Brandt, N.B., Stamp, M.: Automating NFC message sending for good and evil. J. Comput. Virol. Hacking Tech. 10(4), 273–297 (2014). doi:10.1007/s11416-014-0223-x CrossRef

Caldwell, T.: Securing the point of sale. Comput. Fraud Secur. 2014(12), 15–20 (2014). doi:10.1016/S1361-3723(14)70557-3 CrossRef

Collberg, C.S., Thomborson, C.: Watermarking, tamper-proofing, and obfuscation—tools for software protection. IEEE Trans. Softw. Eng. 28(8), 735–746 (2002)CrossRef

10.

Dagon, D., Gu, G., Lee, C., Lee, W.: A taxonomy of botnet structures. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC), pp. 325–339 (2007). doi:10.1109/ACSAC.2007.44

11.

Dell SecureWorks Counter Threat Unit.: Point-of-sale malware threats. Tech. rep., Dell SecureWorks Inc. http://www.secureworks.com/cyber-threat-intelligence/threats/point-of-sale-malware-threats/ (2013)

12.

Department of Homeland Security.: National Security Strategy. The White House. http://www.whitehouse.gov/sites/default/files/rss_viewer/national_security_strategy.pdf (2010)

13.

EMVCo.: EMV card-present transaction percentage. https://www.emvco.com/documents/EMVCo_Card_present_EMV.pdf (2015). Accessed 25 Oct 2015

14.

Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), pp. 3–14. ACM, New York (2011). doi:10.1145/2046614.2046618

15.

Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Electr. Autom. Control Inform. Eng. 1(2), 281–286 (2007)

16.

FirstData.: Payments 101: credit and debit card payments—key concepts and industry issues. https://www.firstdata.com/en_us/insights/payments-101-white-paper-/_jcr_content/content-block/insight_individual/insights-downloads-par/download/file.res/fd-Payments-101-Credit-and-Debit-Card-Payments-white-paper.pdf (2010)

17.

Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Practical relay attack on contactless transactions by using NFC mobile phones. In: Lo, N.W., Li, Y. (eds.) Proceedings of the 2012 Workshop on RFID and IoT Security (RFIDsec 2012 Asia). Cryptology and Information Security Series, vol. 8, pp. 21–32. IOS Press, Amsterdam (2012)

18.

Frisby, W., Moench, B., Recht, B., Ristenpart T.: Security analysis of smartphone point-of-sale systems. In: Proceedings of the 6th USENIX Conference on Offensive Technologies. WOOT’12, pp. 1–12. USENIX Association, Berkeley (2012)

19.

Gold, S.: The evolution of payment card fraud. Comput. Fraud Secur. 2014(3), 12–17 (2014). doi:10.1016/S1361-3723(14)70471-3 CrossRef

20.

Gomzin, S.: Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions, 1st edn. Wiley, New York (2014)

21.

Guo, F., Ferrie, P., Chiueh, T.C.: A study of the packer problem and its solutions. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) Recent Advances in Intrusion Detection (RAID), Lecture Notes in Computer Science, vol. 5230, pp. 98–115. Springer, Berlin (2008). doi:10.1007/978-3-540-87403-4_6

22.

Hancke, G., Mayes, K., Markantonakis, K.: Confidence in smart token proximity: relay attacks revisited. Comput. Secur. 28(7), 615–627 (2009). doi:10.1016/j.cose.2009.06.001 CrossRef

23.

Haselsteiner, E., Breitfuß, K.: Security in near field communication (NFC)—strengths and weaknesses. In: Proceedings of the Workshop on RFID Security and Privacy (RFIDSec) (2006)

24.

Hizver, J., Chiueh, T.C.: Automated discovery of credit card data flow for PCI DSS compliance. In: Proceedings of the 2011 IEEE 30th International Symposium on Reliable Distributed Systems (SRDS), pp. 51–58. IEEE Computer Society, Washington, DC (2011). doi:10.1109/SRDS.2011.15

25.

Huq, N.: PoS RAM Scraper malware: past, present, and future. Tech. rep., Trend Micro Inc. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf (2014)

26.

Huq, N.: Defending against PoS RAM scrapers: current strategies and next-gen technologies. Tech. rep., Trend Micro Inc. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-defending-against-pos-ram-scrapers.pdf (2015)

27.

International Organization for Standardization: ISO/IEC 3166-1:1997.: Codes for the representation of names of countries and their subdivisions—part 1: country codes. http://www.iso.org/iso/catalogue_detail?csnumber=24591 (1997)

28.

International Organization for Standardization: ISO/IEC 4909:2006.: Identification cards—financial transaction cards—magnetic stripe data content for track 3. http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=43309 (2006a)

29.

International Organization for Standardization: ISO/IEC 7813:2006.: Information technology—identification cards—financial transaction cards. http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=43317 (2006b)

30.

International Organization for Standardization: ISO/IEC 18092:2013.: Information technology—telecommunications and information exchange between systems—near field communication—interface and protocol (NFCIP-1). http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=56692 (2013)

31.

International Organization for Standardization: ISO/IEC 7812-1:2015.: Identification cards—identification of issuers—part 1: numbering system. http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=66011 (2015)

32.

Juniper Research Limited.: Apple pay and HCE to push NFC payment users to more than 500 million by 2019. http://www.marketwired.com/press-release/apple-pay-hce-push-nfc-payment-users-more-than-500-million-2019-juniper-research-finds-1961558.htm (2014). Accessed at 2 Nov 2014

33.

Kaspersky Lab.: Kaspersky Security Bulletin 2014. http://securelist.com/files/2014/12/Kaspersky-Security-Bulletin-2014-EN.pdf (2014)

34.

Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2010). doi:10.1007/s11416-010-0148-y CrossRef

35.

Lindorfer, M., Kolbitsch, C., Milani Comparetti, P. Detecting environment-sensitive malware. In: Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection (RAID). Lecture Notes in Computer Science, vol. 6961, pp. 338–357. Springer, Berlin (2011). doi:10.1007/978-3-642-23644-0_18

36.

Line, M.B., Zand, A., Stringhini, G., Kemmerer, R.: Targeted attacks against industrial control systems: is the power industry prepared? In: Proceedings of the 2nd Workshop on Smart Energy Grid Security (SEGS), SEGS ’14, pp. 13–22. ACM, New York (2014). doi:10.1145/2667190.2667192

37.

Liu, K., Tan, H.B.K., Chen, X.: Binary code analysis. Computer 46(8), 60–68 (2013). doi:10.1109/MC.2013.268 CrossRef

38.

de Looper, C.: Mobile payment boasts rosy future, but some obstacles remain in play. http://www.techtimes.com/articles/24762/20150106/mobile-payments-worth-130-billion-2020.htm (2015). Accessed 23 Jan 2015

39.

Mitrokotsa, A., Rieback, M.R., Tanenbaum, A.S.: Classifying RFID attacks and defenses. Inform. Syst. Front. 12(5), 491–505 (2010). doi:10.1007/s10796-009-9210-z CrossRef

40.

Murdoch, S., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is broken. In: IEEE Symposium on Security and Privacy (SP), pp. 433–446 (2010). doi:10.1109/SP.2010.33

41.

Murdoch, S.J., Anderson, R.: Security protocols and evidence: where many payment systems fail. In: Christin, N., Safavi-Naini, R. (eds.) Proceedings of the 18th international conference on financial cryptography and data security (FC). Lecture Notes in Computer Science, vol. 8437, pp. 21–32. Springer, Berlin (2014). doi:10.1007/978-3-662-45472-5_2

42.

Oak, C.: The year 2014 was a tipping point for NFC payments. http://www.finextra.com/blogs/fullblog.aspx?blogid=10382 (2015). Accessed 15 Jan 2015

43.

Oorschot, P.: Revisiting software protection. In: Boyd, C., Mao, W. (eds.) Proceedings of the 6th International Conference on Information Security (ISC). Lecture Notes in Computer Science, vol. 2851, pp. 1–13. Springer, Berlin (2003). doi:10.1007/10958513_1

44.

PCI Security Standards Council.: PCI DSS applicability in an EMV environment—a guidance document. www.pcisecuritystandards.org/documents/pci_dss_emv.pdf (2010)

45.

Rantos, K., Markantonakis, K.: Analysis of potential vulnerabilities in payment terminals. In: Markantonakis, K., Mayes, K. (eds.) Secure smart embedded devices, platforms and applications, pp. 311–333. Springer, New York (2014). doi:10.1007/978-1-4614-7915-4_13

46.

Rieback, M., Crispo, B., Tanenbaum, A.: RFID malware: truth vs Myth. IEEE Secur. Priv. 4(4), 70–72 (2006). doi:10.1109/MSP.2006.102 CrossRef

47.

de Ruiter, J., Poll, E.: Formal analysis of the EMV protocol suite. In: Mödersheim, S., Palamidessi, C. (eds.) Theory of Security and Applications, Lecture Notes in Computer Science, vol. 6993, pp. 113–129. Springer, Berlin (2012). doi:10.1007/978-3-642-27375-9_7

48.

Sanders, R.: From EMV to NFC: the contactless trail? Card Technol. Today 20(3), 12–13 (2008). doi:10.1016/S0965-2590(08)70077-X CrossRef

49.

Sarkar, S., Mitra, S., Roy, A.: Point of sale vulnerabilities: solution approach. Tech. rep, Infosys (2014)

50.

Smith, D.C.: Preventing point-of-sale system intrusions. Tech. rep, Naval Postgraduate School (2014)

51.

Suarez-Tangil, G., Tapiador, J., Peris-Lopez, P., Ribagorda, A.: Evolution, detection and analysis of malware for smart devices. IEEE Commun. Surv. Tutor. 16(2), 961–987 (2014). doi:10.1109/SURV.2013.101613.00077 CrossRef

52.

Symantec Security Response.: Attacks on point-of-sales systems. Tech. rep., Symantec. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/attacks_on_point_of_sale_systems.pdf (2014)

53.

Trend Micro.: Point-of-sale system breaches: threats to the retail and hospitality industries. Tech. rep., Trend Micro Inc. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-system-breaches.pdf (2014)

54.

Trustwave.: Combatting point-of-sale malware. Tech. rep., Trustware Holdings Inc. https://www.trustwave.com/Resources/Library/Documents/Combatting-Point-of-Sale-Malware/ (2014)

55.

Ugarte-Pedrero, X., Balzarotti, D., Grueiro, I.S., Bringas, P.G.: SoK: deep packer inspection: a longitudinal study of the complexity of run-time packers. In: Proceedings of the 36th IEEE Symposium on Security and Privacy, pp. 659–673 (2015). doi:10.1109/SP.2015.46

56.

Upendar, J., Rao, E.G.: An overview of plastic card frauds and solutions for avoiding fraudster transactions. Int. J. Res. Eng. Technol. 2(8), 215–222 (2013)CrossRef

57.

Vila, J., Rodríguez, R.J.: Practical experiences on NFC relay attacks with android: virtual pickpocketing revisited. In: Proceedings of the 11th International Workshop on RFID Security (RFIDsec). Lecture Notes in Computer Science, vol. 9440, pp. 87–103. Springer, Berlin (2015). doi:10.1007/978-3-319-24837-0_6

58.

Walters, R.: Cyber attacks on US companies in 2014. The Heritage Foundation—National Security and Defense (4289), 1–5 (2014). http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014 (issue Brief)

59.

Wang, Y.M., Roussev, R., Verbowski, C., Johnson, A., Wu, M.W., Huang, Y., Kuo, S.Y.: Gatekeeper: monitoring auto-start extensibility points (ASEPs) for spyware management. In: Proceedings of the 18th USENIX Conference on System Administration. LISA ’04, pp. 33–46. USENIX Association, Berkeley (2004)

60.

Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: Proceedings of the 2003 ACM Workshop on Rapid Malcode (WORM). WORM ’03, pp. 11–18. ACM, New York (2003). doi:10.1145/948187.948190

61.

Yan, W., Zhang, Z., Ansari, N.: Revealing packed malware. IEEE Secur. Priv. 6(5), 65–69 (2008). doi:10.1109/MSP.2008.126 CrossRef

62.

Yaneza, J.: GamaPoS: the andromeda botnet connection. Tech. rep., Trend Micro. http://documents.trendmicro.com/assets/GamaPOS_TechnicalBrief1.pdf (2015)

63.

Zetter, K.: TJX hacker gets 20 years in prison. http://www.wired.com/2010/03/tjx-sentencing/ (2010)

Title: Evolution and characterization of point-of-sale RAM scraping malware
Author: Ricardo J. Rodríguez
Publication date: 26-05-2016
Publisher: Springer Paris
Published in: Journal of Computer Virology and Hacking Techniques / Issue 3/2017
Electronic ISSN: 2263-8733
DOI: https://doi.org/10.1007/s11416-016-0280-4

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 3/2017

Testing android malware detectors against code obfuscation: a systematization of knowledge and unified methodology

A completely covert audio channel in Android

MalwareHunt: semantics-based malware diffing speedup by normalized basic block memoization

Impeding behavior-based malware analysis via replacement attacks to malware specifications

Experimental analysis of hidden Markov model based secure misuse intrusion trace classification and hacking detection

Graph embedding as a new approach for unknown malware detection

Premium Partner