Target, Neiman Marcus card data thefts, RAM scraper malware, and you

target-logoData theft from retailers is making the headlines a lot this month, after luxury retailer Neiman Marcus disclosed that it, along with Target, had suffered a major data breach during the holiday shopping season before Christmas. According to media reports, other retailers were targeted too, and the FBI is warning retail stores to be on the lookout for more cyber attacks.

Our experts have been following the story. Over at Naked Security, Paul “Duck” Ducklin reports that the malware used in the Target data breach was loaded into point-of-sale (POS) terminals, where unencrypted credit card numbers were skimmed. From there, the data is whisked off to be sorted into bundles and put up for sale on the black market, and printed onto phony cards used by crooks to buy goods at stores.

RAM scraper malware

After Target’s CEO admitted that the malware behind the massive data breach was found on POS registers in Target stores, Duck explained that POS malware called a RAM scraper scoops up the unencrypted card data during the split-second when it’s vulnerable: while it’s being processed at the register.

“RAM scraping works because payment card data is often also unencrypted in memory (RAM) in the POS register, albeit briefly,” Duck writes at Naked Security.

One of our researchers at SophosLabs, Numaan Huq, has been tracking the development of RAM scraper malware used in credit and debit card data thefts. Numaan writes at Naked Security that this type of malware has been around for a while.

According to our research, RAM scrapers go back as far as 2009, but they have become more sophisticated and professionalized. SophosLabs detects this kind of malware under the family name Trackr (e.g., Troj/Trackr-Gen, Troj/Trackr-A).

“One of the earliest serious POS RAM scraper attacks that we observed was back in November 2011 when we found that a university and several hotels had their POS systems compromised,” Numaan writes. “Later we saw varied targets including an auto dealership in Australia infected with Trackr.”

Credit card risk

After two people in Texas were arrested for using fraudulent credit cards with numbers stolen from the Target financial data breach, some might have felt relief that police had found the bad guys. According to police, two crooks nabbed at the U.S.-Mexican border used cards containing stolen account information from Target shoppers in South Texas to purchase goods at national retailers in the area.

But the two alleged crooks were only pawns in this cyber scheme, the final actors in a scam that starts with a virus planted on a POS register and ends up costing customers in fraudulent charges; and in the case of these two crooks, possibly their freedom. The chess masters behind the scheme will be much harder to track down.

As Chet Wisniewski, Senior Security Advisor at Sophos, explained in an interview with the Associated Press, the hackers who created the malware used in the Target attack are at little risk of being busted. “Keep in mind, it isn’t illegal to write these kind of codes, just to use them,” Chet says. “And selling [malware] is a lot less risky than taking [stolen] cards into an Apple store.”

Keeping safe

It’s a scary thought that anyone who uses a credit card or debit card is at risk of data theft and fraud. However, the same is true of anyone who uses a computer, mobile device, or other connected device.

Our security experts at SophosLabs and Naked Security are always on duty to offer security tips and advice. But one of the best pieces of advice we can give is ever-green: Everyone should follow computer security best practices. And consumers should proactively monitor their accounts so they don’t becomes victims of credit or identity theft.

If you’re interested in learning more about RAM scrapers, watch this space. Chet and Numaan will be delivering a joint paper on the topic at the 2014 RSA security conference in San Francisco in February.

10 thoughts on “Target, Neiman Marcus card data thefts, RAM scraper malware, and you

  1. Pingback: Will U.S. credit cards finally get cryptographic chip and PIN technology? | Sophos Blog

  2. Pingback: What’s coming in Sophos UTM Accelerated (9.2): #1 – Simpler email encryption and DLP | Sophos Blog

  3. Pingback: Sophos at RSA: Warbiking, RAM scraping, web server malware, and a live cyber attack | Sophos Blog

  4. Pingback: RSA Rewind: All the buzz from Sophos at RSAC in San Francisco (Podcast) | Sophos Blog

  5. Pingback: Credit card data for sale in cybercrime market shows Sally Beauty was breached | Sophos Blog

  6. Pingback: Sophos in the news: Gameover malware gets harder to kill; will Windows XP live on after death? | Sophos Blog

  7. Pingback: What we learned from the Target data breach about PoS security (Presentation) | Sophos Blog

  8. Pingback: Sophos at BSides Austin: Credit card security and PCI DSS compliance, post-Target | Sophos Blog

  9. Pingback: Encryption – your first line of defense | Sophos Blog

  10. Pingback: What’s the deal with the Home Depot data breach? | Sophos Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s