Each day, almost 400 million non-cash transactions are completed in the United States. While you may not give it a second thought when paying for your morning cup of coffee, when you hand over your credit card to the cashier, you are putting your trust in a complex system that has been responsible for some of the most notable data compromises in recent years. Target, Home Depot, Wendy’s, and Arby’s have all previously experienced a breach within their point of sale (PoS) systems that resulted in millions of consumers’ data being stolen.
Recently, a new PoS attack campaign using a piece of malware called Flokibot emerged in Brazil, targeting a very specific type of PoS system. In this week’s Threat Spotlight, the Cylance® Threat Guidance team discusses how RAM scraping works and how CylancePROTECT® defeats it.
The Flokibot malware uses RAM scraping to search for and collect credit card information that is exposed briefly during a PoS transaction. After a period of time, this data is then exfiltrated off-site to an attacker-controlled server. Flokibot, like most PoS malware, attemts to gains access to PoS devices via phishing attempts, stolen credentials, or a rogue insider. For instance, the attackers responsible for the 2013 Target breach used stolen credentials from an HVAC contractor to spread their PoS malware across the Target network, ultimately resulting in the loss of over 70 million records.
Businesses have hardened PoS systems, especially since the highly publicized compromises. However, during a credit transaction, there is a moment where the credit card information is held in memory. Malware employing the RAM scraping technique targets this moment of data visibility to capture card information and write it to a temporary file. Once the desired number of items is captured, the data is moved off-site.
CylancePROTECT provides multiple ways to detect and prevent RAM scraping malware from achieving its goals:
To learn more about how CylancePROTECT can help mitigate threats against your POS systems, contact us today to speak to one of our experts.