RAM-scraping malware could have been installed on Target’s tills

Graham Cluley
Graham Cluley
@[email protected]

Target logoMillions of customers at US retailer Target remain deeply concerned after it was revealed that hackers had stolen credit card information from shoppers across the country between November 27th and December 15th last year.

Details of the breach only came to light in the last week, when Target said that 40 million credit and debit cards had been exposed.

The number of people visiting Target stores instantly plummeted.

Then the company admitted that that PIN data had also been fraudulently accessed, although Target was keen to underline that although the PIN data was stolen it was strongly encrypted and “remained encrypted within [its] system, and remained encrypted when it was removed.”

Sign up to our free newsletter.
Security news, advice, and tips.

In addition, it was revealed that the personal information of 70 million customers’ (email, home addresses, phone numbers, for instance) was siphoned off the company’s servers.

This is clearly a sizeable crisis for Target – both in terms of its internal security, but also in its efforts to regain the trust and confidence of its customers.

It’s no surprise then to see Target’s CEO appear on TV, attempting to repair some of the damage.

CNBC interview with Target's CEO

In an interview with CNBC’s Becky Quick, Target CEO Gregg Steinhafel described the attack which saw malware installed on the companies Point of Sale (POS) registers as feeling like “a punch in the gut”.

How malware can scrape memory to extract your credit card information

RAMIf you are a retailer of any size who accepts credit card payments, you are required to follow Payment Card Industry (PCI) data security standards.

That means that you should, as a shopper, feel pretty confident that the company selling you a product have an anti-virus and other security installed and are keeping it up to date, that they encrypt cardholder data. and that they are restricting access to confidential information about you.

Amongst the information they should be protecting is the data stored on your payment card’s magnetic strip – known as Track 1 and Track 2 data.

Interestingly, on 2 January, US CERT warned on 2 January 2014, many examples of POS malware will search the device’s memory, hunting for unencrypted credit card information.

There are several types of POS malware in use, many of which use a memory scraping technique to locate specific card data.

Dexter, for example, parses memory dumps of specific POS software related processes looking for Track 1 and Track 2 data.

Stardust, a variant of Dexter not only extracts the same track data from system memory, it also extracts the same type of information from internal network traffic.

Researchers surmise that Dexter and some of its variants could be delivered to the POS systems via phishing emails or the malicious actors could be taking advantage of default credentials to access the systems remotely, both of which are common infection vectors. Network and host based vulnerabilities, such as weak credentials accessible over Remote Desktop, open wireless networks that include a POS machine and physical access (unauthorized or misuse) are all also candidates for infection.

What’s particularly interesting about the US CERT alert is that it came on the 2 January – *after* the Target data breach, but *before* the hack was made public.

Coincidence? I suspect not.

In short, a retailer may be correctly storing sensitive information about you and your credit card in a securely encrypted form on its hard drive, or during transmission to its servers… but the data may be *unencrypted* while being processed in the device’s memory.

Sophisticated malware might attempt to quickly scour RAM, hunting through memory for something which looks like credit card information – and other sensitive data – before passing it on to malicious hackers.

Target CEO Steinhafel said that if customers had any concerns at all they should change their PIN, have their cards replaced or sign-up for credit monitoring. More details about Target’s data breach, and how customers should respond, can be found on the company’s website.

Of course, Target is just one (albeit large) retailer to have fallen at the hands of hackers. We have also recently seen Neiman Marcus hit in what seemes to be a similar attack, and there are rumours of others…

Be careful out there, and keep a close eye on your financial statements for unexpected transactions.

If you are interested in learning more about malware which targets Point of Sale systems read this blog post from Bromium.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “RAM-scraping malware could have been installed on Target’s tills”

  1. Dexter recently cause quite a problem here in South Africa

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.