Rodríguez, Ricardo J
Evolution and Characterization of Point-of-Sale RAM Scraping Malware Journal Article
In: Journal in Computer Virology and Hacking Techniques, vol. 13, no. 3, pp. 179–192, 2017, ISSN: 2263-8733.
Abstract | Links | BibTeX | Tags: Evolution, malware, POS RAM scraping, Software security, Taxonomy
@article{R-CVHT-17,
title = {Evolution and Characterization of Point-of-Sale RAM Scraping Malware},
author = {Ricardo J Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/R-CVHT-17.pdf},
doi = {10.1007/s11416-016-0280-4},
issn = {2263-8733},
year = {2017},
date = {2017-01-01},
journal = {Journal in Computer Virology and Hacking Techniques},
volume = {13},
number = {3},
pages = {179--192},
abstract = {Credit and debit cards are becoming the primary payment method for purchases. These payments are normally performed in merchant's in-store systems as known as Point-of-Sale (POS) systems. Since these systems handle payment card data while processing the customer transactions, they are becoming a primary target for cybercriminals. These data, when remain at memory, are scraped and exfiltrated by specially crafted malicious software named POS RAM scraping malware. In recent years, large data breaches occurred in well-known US retail companies were caused by this kind of malware. In this paper, we study the features of these malware based on their behavior on different stages: infection and persistence, process and data of interest search, and exfiltration. Then, we classify samples of 22 known POS RAM scraping malware families from 2009 to 2015 according to these features. Our findings show these malware are still immature and use well-defined behavioral patterns for data acquirement and exfiltration, which may make their malicious activity easily detectable by process and network monitoring tools.},
keywords = {Evolution, malware, POS RAM scraping, Software security, Taxonomy},
pubstate = {published},
tppubtype = {article}
}
Credit and debit cards are becoming the primary payment method for purchases. These payments are normally performed in merchant's in-store systems as known as Point-of-Sale (POS) systems. Since these systems handle payment card data while processing the customer transactions, they are becoming a primary target for cybercriminals. These data, when remain at memory, are scraped and exfiltrated by specially crafted malicious software named POS RAM scraping malware. In recent years, large data breaches occurred in well-known US retail companies were caused by this kind of malware. In this paper, we study the features of these malware based on their behavior on different stages: infection and persistence, process and data of interest search, and exfiltration. Then, we classify samples of 22 known POS RAM scraping malware families from 2009 to 2015 according to these features. Our findings show these malware are still immature and use well-defined behavioral patterns for data acquirement and exfiltration, which may make their malicious activity easily detectable by process and network monitoring tools.