Each day, almost 400 million non-cash transactions are completed in the United States. While you may not give it a second thought when paying for your morning cup of coffee, when you hand over your credit card to the cashier, you are putting your trust in a complex system that has been responsible for some of the most notable data compromises in recent years. Target, Home Depot, Wendy’s, and Arby’s have all previously experienced a breach within their point of sale (PoS) systems that resulted in millions of consumers’ data being stolen.

Recently, a new PoS attack campaign using a piece of malware called Flokibot emerged in Brazil, targeting a very specific type of PoS system. In this week’s Threat Spotlight, the Cylance® Threat Guidance team discusses how RAM scraping works and how CylancePROTECT® defeats it.

Threat Overview

The Flokibot malware uses RAM scraping to search for and collect credit card information that is exposed briefly during a PoS transaction. After a period of time, this data is then exfiltrated off-site to an attacker-controlled server. Flokibot, like most PoS malware, attemts to gains access to PoS devices via phishing attempts, stolen credentials, or a rogue insider. For instance, the attackers responsible for the 2013 Target breach used stolen credentials from an HVAC contractor to spread their PoS malware across the Target network, ultimately resulting in the loss of over 70 million records.

What is RAM Scraping?

Businesses have hardened PoS systems, especially since the highly publicized compromises. However, during a credit transaction, there is a moment where the credit card information is held in memory. Malware employing the RAM scraping technique targets this moment of data visibility to capture card information and write it to a temporary file. Once the desired number of items is captured, the data is moved off-site.

How does CylancePROTECT Combat RAM Scraping?

CylancePROTECT provides multiple ways to detect and prevent RAM scraping malware from achieving its goals:

• Pre-execution Quarantine:  CylancePROTECT has the ability to identify and prevent any malware, including Flokibot, from running on a protected machine. Using Cylance’s proven AI models, CylancePROTECT blocks over 99% of all malware, pre-execution. Check out the latest third-party test results to learn more about CylancePROTECT’s efficacy.
• Memory Defense: CylancePROTECT Memory Defense has built-in protection for RAM scraping, with the ability to detect when payment card data residing in memory is read.

To learn more about how CylancePROTECT can help mitigate threats against your POS systems, contact us today to speak to one of our experts.