What Is a RAM Scraping Attack?

People carry far less cash in today’s money system than ever before. With a few exceptions, most retailers accept debit or credit cards because this form of payment is handy, fast and ostensibly secure while also eliminating the need for loose change in pockets. The popularity of payment cards has led to data theft, a common crime with immediate monetary benefits. Attackers want to steal the data stored in payment cards’ magnetic stripes, clone the cards and charge the accounts connected with the victim.

Table of Contents

What Is the Definition of a RAM Scraping Attack?

The definition of a RAM scraping attack is the intrusion into a retail sales terminal’s random access memory (RAM) to collect consumer credit card information, such as PINs and other confidential details, from the cardholder. RAM-scraping malware is a type of malicious software that scans a device’s RAM. The malware attacks and examines the device’s RAM for harmful intents while “scraping” the temporarily stored data. This form of cybercrime has affected merchants and respective customers since 2008.

RAM scraping, also known as a point-of-sale (POS) attack, targets the retail transaction terminal or memory-scraping malware, which scans and “scraps” memory off said devices.

What Is the History of RAM Scraping Attacks?

The payment card firm Visa issued the first documented RAM scraping attack in October 2008. The company’s security staff discovered that hackers had gained access to POS terminals that process consumer transactions using Visa’s cards. The hackers were able to access unencrypted client information from the terminals’ RAM. An attempt to install debugging tools occurred on the POS systems to dump credit card data from the RAM.

RAM scraping is not a new concept but has recently been given a new life to compromise payment systems. Over the last decade, hackers have grown more clever and efficient at stealing huge stockpiles of cards. Scrapers currently employ various components and exfiltration mechanisms, single binaries, network, bot, kill-switch capabilities, encryption and development kits.

How Are RAM Scraping Attacks Used?

Attackers would covertly install RAM scrapers on POS systems that scan and process credit and debit card transactions. The technologies make stealing millions of credit card numbers simple as the scrapers move through the system.

Some common characteristics in the usage of RAM scraping attacks are detailed below.

Targeting Businesses with Card Transactions

An image featuring credit card transaction concept

Small restaurants and stores utilize a card processor to handle credit and debit card purchases. A third-party firm then gets the card data from merchants and delivers this to the appropriate bank for authorization. Large retail and grocery chains that process a high volume of card transactions, on the other hand, function as personal or direct processors. Card transactions from each location in the chain are sent to a central processor on the corporate network, where all information is consolidated and routed to the appropriate destination for authorization. Some of the biggest targeted industries are:

Food services
Retail
Healthcare
Hotel and tourism
Education

There are many credit and debit card transactions in these businesses, implying that the cards contain a large amount of payment data that scrapers may take.

Bypassing Vulnerabilities inf Standards and Devices

An image featuring payment card industry concept

Any firm that accepts credit or debit cards must also follow another set of rules known as the PCI (Payment Card Industry) security standards. Credit card businesses require PCI compliance to help assure the security of credit card transactions in the payments sector. Payment card industry compliance refers to the technical and operational requirements that firms must follow to safeguard and preserve the credit card data given by cardholders and transferred via card processing operations. This compliance provides strong security from the first transaction through when consumer data is kept on retailers’ systems and has no flaws. During a mag-stripe transaction, the customer’s credit card data—including the cardholder’s name, card number, expiration date and three-digit security code—is exposed in plaintext for a very brief period.

RAM-scraping malware allows attackers to grab the data from memory while being processed within the terminal rather than when traveling across the network. RAM-scraping malware is used to gather credit card information as this is read into computer memory. Any data acquired is then kept locally in a file until exfiltration. This data file must frequently be transmitted to numerous computers, bouncing through the internal network until reaching a system with access to external systems.

What Is a Notorious POS Attack?

An image featuring notorious POS terminal attack concept

In a notorious POS attack, the personal information of about 40 million Target customers and 56 million Home Depot customers was taken, ascribed to the deployment of a new spyware software known as BlackPOS. For playing a role in the major breach hitting one of the largest U.S. merchants between Nov. 27 and Dec. 15, 2013, BlackPOS is arguably the most well-known POS RAM scraper.

BlackPOS is an old malware program discovered in mid-2012. Its source code was released online at some point, resulting in multiple BlackPOS versions with varying capabilities. Attackers used a BlackPOS version to steal the payment card information of 70 million consumers throughout the U.S. The thieves were expected to earn $53.7 million by selling the stolen cards and other consumer data.

Note:

RAM scrapers are being replaced by more sophisticated forms of malware such as screen grabbers and keyboard loggers. But RAM scrapers are still prevalent in attacks, as these malware programs are designed to gather personal information shown or inputted and then pass on the data to a third party. RAM-scraping malware generally targets companies and businesses rather than regular desktop and laptop PCs. The data is susceptible when kept in the back-end server’s system memory (RAM) that processes the transaction.

Are RAM Scraping Attacks and POS Malware Attacks the Same?

An image featuring credit card and a POS terminal

These terms have been interchangeable when pertaining to POS intrusion and attacks. Both refer to the stealing of information through vulnerabilities of POS terminals and systems. POS malware is an information security threat that has grown to enormous dimensions over the last several years and has shown to be more harmful to companies than virtually any other danger.

POS malware is a generic term for an increasing variety of Trojan families designed to scrape point-of-sale terminals’ RAM. POS malware is specifically designed to scrape encrypted RAM data and exfiltrate payment information such as card numbers, user names, addresses, security codes and all other track one and two payment card data.

What Are the Types of RAM Scraping Attacks?

There are now more than a dozen RAM scrapers for sale in the underground market. Though all RAM scrapers work in a similar manner, each has unique characteristics. The challenge for cybercriminals is to develop a dependable technique of infecting POS systems. Hackers have accomplished this by using several tried-and-true tactics such as social engineering, lateral movement and vulnerability exploitation, among others, to target payment networks and POS systems.

The types of RAM scraping attacks are explained below.

Phishing and Social Engineering Targeting Payment Networks

In some situations, cyber thieves infect the systems using a phishing attack that convinces merchant workers to click on a dangerous file or visit a website where malware is discreetly placed on the system. Phishing and social engineering attacks are proven ways to infect computers with malware. POS RAM scrapers are never sent to millions of prospective victims via spam; malware is instead delivered to pre-selected targets via phishing emails, including powerful social engineering lures.

Some emails include an attachment and employ social engineering enticers in the message body to persuade readers to download and open the attached file. Some emails may contain malicious URLs, and social engineering lures in the message body to persuade recipients to click on said links.

Once inside an employee’s PC and the business network, attackers may frequently work up to the payment network, sniffing around for administrator credentials that will grant access to the coveted network.

Inside Jobs Targeting POS Systems

An image featuring credit card POS terminal concept

Inside jobs are the hardest to guard against because management’s trusted employees may exploit privileges to conduct a crime. A hotel employee, for example, may discreetly insert an infected USB key into the front desk’s credit card-processing computer.

These individuals might be angry or disillusioned workers seeking retribution against employers or unscrupulous individuals seeking to earn fast money. Some hackers have even been known to pay personnel to purposefully insert infected USB sticks into systems or servers containing sensitive data to breach the system and devices.

What Are the Examples of RAM Scraping Attacks?

An image featuring POS terminal warning concept

Rdasrv, one of the first POS RAM scrapers, was discovered towards the end of 2011. Created to target businesses in the food service and hotel industries, Rdasrv contains several hard coded versions with distinct target process names, most likely because hackers gather knowledge about the targets’ operating systems before sending tailored malware.

Because of the rising popularity of POS RAM scrapers as a tool for rapid monetary gain, development kits began to appear in the cybercriminal underground almost immediately. VSkimmer is a popular WYSIWYG building tool for POS RAM scrapers that first appeared in early-2013, offering a simple building interface. The user-configured parameters are applied to a stub file included with the builder to produce a customized executable file.

Around September 2014, reports emerged that a large-scale credit card breach had occurred at grocery chains Albertsons and Supervalu. The thefts came soon after the recent breaches at Target and Home Depot (mentioned above), both of which have one thing in common: the stealth technique used by the hackers to acquire the precious card data.

Since the Target and Home Depot attacks, security experts and merchants alike have shifted focus to this sort of malware sample, attempting to better understand how such infiltrations may occur and how attacks might be avoided. Researchers from Cisco’s Security Solutions team discovered a new point-of-sale Trojan that uses RAM scraping to detect and compromise credit card information. The new strain, dubbed POSeidon, comprises three malware components to infiltrate and scrape sensitive data. The virus has a keylogger, a loader and a memory scraper with keylogging capabilities.

What Are the Statistics About RAM Scraping Attacks?

An image featuring a hacker using his laptop

Between 2009 and 2013, several distinct POS RAM scraper families were identified, with nine more discovered in 2014 alone. The bulk of new POS RAM scrapers discovered between 2013 and 2014 belonged to one of three foundation families: BlackPOS, Alina or Dexter.

POS RAM scrapers target a diverse set of businesses from various sectors. According to the Trend Micro Smart Protection Network, the U.S. had the largest amount of POS RAM scraper detections between April and June 2014. The U.S. topped the number of detections (73.74%) because the country’s economy is primarily focused on acquiring goods and services using credit cards, followed by the Philippines (4.62%), Japan (4.41%) and Brazil (2.73%). Consumers in other nations continue to choose cash or debit cards over credit cards.

Which Devices Can RAM Scraping Attacks Infect?

An image featuring a hacker using his laptop and accessing private data information

Suppose attackers obtain access to the production network to which POS devices are linked. In that case, it can become difficult to detect or prevent associated malware-dropping attempts directed at those POS devices since attackers can employ antivirus evasion tactics or packaging tools to provide the malware executable. Hackers penetrate businesses and use RAM scrapers to collect Tracks 1 and 2 credit card data from POS systems. Hackers then sell the stolen credit card data to carders on carding forums in quantities known as “dumps.” Buying and selling dumps is referred to as “carding.”

Note:

POS systems, like any other computer, may become infected with malware. The POS system might be compromised because the employee used that computer to visit a malicious website or opened a malicious attachment to an email. The virus may have exploited unpatched software on the machine or numerous other mechanisms by which a computer becomes infected.

An image featuring credit card skimmer concept

POS terminals and network hub devices that run Windows are the most susceptible devices that can be infected. Once deployed, this threat takes client credit card information invisibly by essentially converting the POS machine’s card reader into a network-accessed credit card skimmer. One need not worry about any direct attack on personal devices, but keep an eye out for related threats, discussed later.

Memory scraping isn’t only for traditional brick-and-mortar stores. If an e-commerce web server’s memory can be split, an attacker is likely to uncover sensitive data there as well. RAM scrapers aren’t limited to POS systems, and cybercriminals can package malware to steal data in any circumstance where the data is normally encrypted.

Is a RAM Scraping Attack Illegal?

RAM scraping is not illegal, but extracting personal information and sensitive data for unauthorized financial gain and malicious purposes is.

What Are the Laws Regarding RAM Scraping Attacks?

Currently, there is no known law that protects people from RAM scraping attacks. Since this cyberattack technique is relatively new, with the first significant attacks emerging in 2008, legal systems have neglected to catch up with the trend.

How To Protect Yourself From a RAM Scraping Attack

RAM scrapers are intended to detect, capture and exfiltrate credit and debit card data from endpoints that process and store it. The following safeguards should be taken to protect against RAM scraping attacks.

An image featuring secure password concept

Use Secure Passwords: Using strong passwords can help reduce the chance of infection. Passwords are required for POS systems. If a hacker has access to a POS system’s admin password, they may be able to install RAM-scraping malware on it. Creating a strong password will keep the POS system secure, decreasing the chance of RAM-scraping malware infiltration.
Implement Employee Education Programs: Employees should be trained on what to look for to detect RAM scraping threats. Employees’ knowledge of possible risks may be enhanced through education on social engineering, phishing, malware, the effects of cybercrime and security best practices. Staff will be equipped with the knowledge necessary to avoid falling victim to RAM scraping attacks and similar threats.
Block Remote Access: One should also consider blocking remote access to all of the company’s POS systems. Remote access implies that users outside the company’s network can log in to a POS system. Small and medium-sized enterprises rarely require this functionality. If a company does not require remote POS access, one should disable this function.
Utilize Anti-phishing and anti-malware Solutions: Spear-phishing emails and the presence of malware continues to be one of the most common POS RAM scraper infection methods. Anti-phishing software detects and prevents phishing emails while anti-malware solutions scan files to identify, stop and remove harmful software from computers such as viruses, Trojans, worms, keyloggers and rootkits.
Get a Security Information and Event Management (SIEM): SIEM software and services analyze security alarms issued by network hardware, servers, endpoints and applications in real-time. SIEMs are used for data aggregation, rule-based or statistical data correlation, alerts, dashboards, compliance, log retention, forensics and other purposes.

An image featuring security information and event management concept

Keep Systems and Policies Up-to-Date: Another simple way to avert a compromise is to deploy security fixes to software and hardware systems on a regular and timely basis. Policies can be as basic as a secure password but should ideally go further. Security policies should be written and automated whenever feasible, and while this may appear to most to be a no-brainer, it’s frequently missed.
Consider EMV Cards: EMV cards, often known as “chip-and-PIN” cards, feature an integrated microchip that authenticates the card as a real bank card, preventing hackers from embossing stolen card data onto blank cards and using stolen information for fraudulent transactions. The chip carries the same data as a card’s magnetic stripe but includes a certificate used to sign each transaction digitally.
Consider Alternative Mobile Payments: If new mobile payment mechanisms are widely used, this may significantly lower the number of cards scanned and processed in the old manner, limiting the amount of card data a RAM scraper could collect.

What To Do If You Become a Victim of a RAM Scraping Attack

An image featuring RAM scraping attack concept

RAM scraping is a threat that might affect not only the retail industry but any firm that processes large volumes of consumer payment cards, ranging from leisure and hospitality to banking and insurance. While guarding against this sort of attack might be challenging, businesses can implement certain measures to reduce the susceptibility factor.

The vulnerability at Home Depot might have been avoided. The network environment did include Symantec Endpoint Protection; however, the network threat protection function was turned off. While this does not ensure security, hackers would have a harder time breaching the system. Furthermore, the policy appeared to be lacking in terms of a proper vulnerability management approach.

Some steps one can take after falling victim to a RAM scraping attack are given below.

Record the Details of the Incident: Keep a written log of what has conspired within the time the victim has experienced the incident. The information should include the location, store details, compromised accounts and the amount or type of damage done.
Inform Respective Law Enforcement Agencies: Report a significant violation to law enforcement. Contact the company management, state or federal law enforcement, and even the Federal Bureau of Investigation.
Notify the Affected Parties: Notify individuals if an attack puts personal information at risk. This fast response might assist affected people in taking urgent precautions to be safe and wary of these issues. However, if law enforcement is involved, the police should direct the company on whether the notification should be delayed to ensure the investigation is not compromised. The individuals are usually notified via letter, phone, email or in person.

How To Remove RAM Scraper Malware?

An image featuring secure systems concept

Security experts have shifted to prevention strategies rather than creating RAM scraping malware removal tools. Companies have focused on further securing systems and updating machines.

There is no known documented procedure for removing RAM scrapers, but these threats can be prevented by using anti-malware tools and observing system security protocols.

The Microsoft Defender Antivirus, a built-in malware scanner for Windows 10, may be used to scan viruses and malware, but not specifically RAM scrapers. Microsoft Defender does not include a specific procedure for removing RAM scrapers but follows the scan procedure outlined below.

The steps to run a scan on Windows Defender are outlined below.

Save and close all files.
Select the Windows icon found at the bottom-left of the screen.
Click on the Settings icon to proceed to the Settings tab.
Click on the Updates and Security icon.
Select Windows Security to go to the Protection areas section.
Click on the Virus & Threat protection icon.
The Current Threats section will appear. Click on Scan options.
Select the required type of scan: quick, full, custom or Windows Defender Offline scan.
Click on Scan now.
When the scan is completed, a scan summary will appear.
If the scan identifies malware, click Start actions and perform all instructions given to remove the malware.

What Are the RAM Scraping Malware Removal Tools?

As organizations migrate to more secure payment methods, attackers will devise new tactics to exploit the better systems and surroundings. Antivirus and monitoring software, as well as multi-factor authentication, can aid in the prevention of infiltration. However, a few anti-malware software programs could equip computers with better security, as listed below.

An image featuring a phone that has opened the Avast official website

Avast: What is Avast? – Avast is one of the most popular malware tools, Avast boasts of having the world’s biggest threat-detection network. The free plan offers all the basic functions and features of a typical antivirus software program. Aside from ease of use, Avast scans for malware and addresses potential issues. Virus definitions are constantly updated, ensuring users are always protected from viruses and malware.
Malwarebytes: The premium Malwarebytes package is now a full-fledged antivirus, not simply a backup for a primary antivirus. Malwarebytes features all of the essential security features that users look for in an antivirus application, including real-time malware protection, ransomware prevention and online protection. (For more on this, refer to Security Gladiators’ guide on what is Malwarebytes?)
Kaspersky Antivirus: This features a great antivirus scanner and real-time malware protection. Kaspersky’s anti-phishing defense effectively spots dangerous websites and has a high-quality antivirus scanner with plenty of useful features and affordable pricing to detect malware. If you want to learn more about what is Kaspersky Antivirus then you’re at the right place.

What Is Web Scraping?

RAM scraping was covered in detail in the preceding sections, but what is web scraping? Web scraping refers to extracting data from a website, and this information is gathered and then exported in a more user-friendly way. The practice of gathering structured web data in an automated manner is known as web scraping, also referred to as web data extraction.

The actual value of data from online scraping resides in its capacity to develop and power some of the world’s most groundbreaking commercial apps, rather than simply being a modern convenience. Various web scraping applications include price monitoring, price intelligence, news monitoring, lead generation and market research.

Web scraping is fundamentally a type of data mining. Web scraping has sparked a lot of debate since some websites’ terms of service prohibit some types of data mining. Still, web scraping is expected to become a common method of gathering information as aggregated data resources grow more competent despite the legal issues.

What Are the Other Threats?

RAM scraping attacks are just one of the countless cybersecurity threats pervading the internet today. Some other threats to look out for are listed below.

An image featuring cyber threats concept

Credit card data leaks are well-established and show no indications of abating soon. Cybercriminals target all industries and employ a variety of breach methods. Most POS RAM scrapers target firms in the retail industry since customers have very large credit card transaction volumes, making firms ideal targets for harvesting data from Tracks 1 and 2.
Doxing is a similar threat to RAM scraping attacks. This kind of attack exposes people and friends/family/associates to online and offline abuse. Doxing discloses personally identifiable information about another person online, such as full name, home address, workplace, phone number, bank information and other personal information.
Skimmers: However, RAM scrapers aren’t the sole technique for obtaining card information. Skimmers put on card readers at ATMs, gas stations, and other payment terminals are still widely used to steal card data and PINs. These need an attacker to have physical access to the reader to install and recover the device, increasing the likelihood that the attacker or accomplices will be apprehended.
Financial theft: Everyone should follow basic practices for computer security, and consumers should proactively sign up for credit monitoring services to avoid becoming victims of credit or identity theft. Businesses of all sizes must spend to safeguard vital POS infrastructure. POS systems, like cash registers, require adequate protection, just as people would not leave cash registers unlocked for someone to steal money from the store.
E-commerce vulnerabilities: E-commerce websites account for a sizable portion of everyday credit card transactions. To target inadequately protected or configured vulnerable e-commerce websites, hackers employ several breach vectors. Once the websites have been hacked, hackers can access encrypted or unencrypted credit card databases and steal information.