As the mystery around the credit card hacking at retail giants Target and Nieman Marcus continues to unfold, you’re going to start hearing a lot about something called a “RAM scraper.”
Target CEO Gregg Steinhafel confirmed in an interview with CNBC (which is a partner of Re/code) that the source of the attack that has affected as many as 70 million of its customers was malware that was present on its point-of-sale systems. This disclosure came a day after a Reuters report that cited sources familiar with the investigation as identifying the type of malware involved as a RAM scraper.
So what the heck is a RAM scraper and how does it work? First, remember that payment systems — the cash registers and credit card terminals you see in stores and restaurants every day — have a lot of strong requirements for encrypting data, pretty much end-to-end during the transaction process, as well as any records that are stored afterward.
But there’s one particular moment when that data is vulnerable, and it occurs during the milliseconds that it is stored in the system memory — a.k.a. random access memory, or RAM — of the back-end server that processes the transaction. Think of it as a package being delivered to you with a lock on it. Even though you have the key, you still have to open it to see what’s inside. The same thing happens when your credit card number gets decrypted.
And when that happens, your credit card number is briefly stored in the system memory of the server processing the payment. When that happens, that data is “in the clear,” as in unencrypted. Typically this step in the process should only take milliseconds. Once the payment is verified, the next transaction in line comes through and the process repeats itself, and numbers are overwritten each time as new ones come in.
But it’s at this vulnerable moment that RAM scraper malware is designed to strike. RAM scraping is an old attack technique that has in recent years been given new life for the purpose of compromising payment systems. Security researchers at Verizon first noted it in a report in 2009.
The scraper software, which is usually disguised as something innocuous, gets introduced to the system in a variety of ways. Imagine the full range of standard hacker techniques: The system may have unpatched vulnerabilities, or an employee of the victim company may introduce it by mistake by opening an email attachment containing malware. The source might even be an employee looking to cause trouble.
Visa issued security alerts on an uptick in RAM scraper activity in April and August of last year. Among the suggestions it made at the time: Tighten firewalls to allow systems to communicate only with known systems. It also advised companies to separate payment systems from non-payment systems.
Once the malware is running, it searches for specific strings of data that look like credit card numbers. When it sees one, it grabs it and saves it to a text file that grows into a long list. Later on, the attackers — however they may have gained access to the system — come for the data and “exfiltrate” it. In the early days of these attacks, exfiltration required physical access. Now it’s more likely to be done remotely.
Over the summer, the security firm Sophos took a look at RAM scraper attack trends and found that the most common one is Alina, one of a family with many variants that has come to be called Trackr.
Retail stores and hotels were most likely to be targeted by attacks using Trackr variants during the first six month of 2013, Sophos found, accounting for a combined 26 percent of attacks. Educational institutions, restaurants and health care businesses were also targeted.
And most of the attacks during the same time period — 56 percent — were in the U.S., which — combined with Germany, Canada, and the U.K. — accounted for 89 percent of these attacks. And often the victims are small- to medium-sized businesses that don’t have the resources to invest in securing their payment systems.
At the time, Numaan Huq, a security researcher for Sophos writing on its corporate blog, observed that “big box retailers and chain stores have security-hardened point-of-sale systems, and we have not seen any major evidence of these large organizations getting compromised.”
Apparently that’s changed.