Evolution and characterization of point-of-sale RAM scraping malware

  • Ricardo J. RodríguezEmail author
Original Paper


Credit and debit cards are becoming the primary payment method for purchases. These payments are normally performed in merchant’s in-store systems as known as Point-of-Sale (POS) systems. Since these systems handle payment card data while processing the customer transactions, they are becoming a primary target for cybercriminals. These data, when remain at memory, are scraped and exfiltrated by specially crafted malicious software named POS RAM scraping malware. In recent years, large data breaches occurred in well-known US retail companies were caused by this kind of malware. In this paper, we study the features of these malware based on their behavior on different stages: infection and persistence, process and data of interest search, and exfiltration. Then, we classify samples of 22 known POS RAM scraping malware families from 2009 to 2015 according to these features. Our findings show these malware are still immature and use well-defined behavioral patterns for data acquirement and exfiltration, which may make their malicious activity easily detectable by process and network monitoring tools.


Malware POS RAM scraping Evolution Taxonomy Software security 



The author would like to thank Marc Rivero and Rubén Espadas, MLW.RE NPO, for providing malware samples, Xylitol for maintaining the thread in KernelMode forum of POS RAM scraping malware, and the anonymous referees for providing constructive comments and helping to improve the contents of this paper.


  1. 1.
    Adida, B., Bond, M., Clulow, J., Lin, A., Murdoch, S., Anderson, R., Rivest, R.: Phish and chips. In: Christianson, B., Crispo, B., Malcolm, J., Roe, M. (eds.) Proceedings of the 14th International Workshop on Security Protocols. Lecture Notes in Computer Science, vol. 5087, pp. 40–48. Springer, Berlin (2009). doi: 10.1007/978-3-642-04904-0_7
  2. 2.
    Anderson, R., Murdoch, S.J.: EMV: why payment systems fail. Commun. ACM 57(6), 24–28 (2014). doi: 10.1145/2602321 CrossRefGoogle Scholar
  3. 3.
    Bodhani, A.: Turn on, log in, checkout. Eng. Technol. 8(3), 60–63 (2014). doi: 10.1049/et.2013.0308 CrossRefGoogle Scholar
  4. 4.
    Bond, M., Choudary, O., Murdoch, S., Skorobogatov S, Anderson, R.: Chip and skim: cloning EMV cards with the pre-play attack. In: IEEE Symposium on Security and Privacy (SP), pp. 49–64 (2014). doi: 10.1109/SP.2014.11
  5. 5.
    Bond, M., Choudary, M., Murdoch, S., Skorobogatov, S., Anderson, R.: Be prepared: the EMV preplay attack. IEEE Secur. Priv. 13(2), 56–64 (2015). doi: 10.1109/MSP.2015.24 CrossRefGoogle Scholar
  6. 6.
    Borello, J.M., Mé, L.: Code obfuscation techniques for metamorphic viruses. J. Comput. Virol. 4(3), 211–220 (2008). doi: 10.1007/s11416-008-0084-2 CrossRefGoogle Scholar
  7. 7.
    Brandt, N.B., Stamp, M.: Automating NFC message sending for good and evil. J. Comput. Virol. Hacking Tech. 10(4), 273–297 (2014). doi: 10.1007/s11416-014-0223-x CrossRefGoogle Scholar
  8. 8.
    Caldwell, T.: Securing the point of sale. Comput. Fraud Secur. 2014(12), 15–20 (2014). doi: 10.1016/S1361-3723(14)70557-3 CrossRefGoogle Scholar
  9. 9.
    Collberg, C.S., Thomborson, C.: Watermarking, tamper-proofing, and obfuscation—tools for software protection. IEEE Trans. Softw. Eng. 28(8), 735–746 (2002)CrossRefGoogle Scholar
  10. 10.
    Dagon, D., Gu, G., Lee, C., Lee, W.: A taxonomy of botnet structures. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC), pp. 325–339 (2007). doi: 10.1109/ACSAC.2007.44
  11. 11.
    Dell SecureWorks Counter Threat Unit.: Point-of-sale malware threats. Tech. rep., Dell SecureWorks Inc. (2013)
  12. 12.
    Department of Homeland Security.: National Security Strategy. The White House. (2010)
  13. 13.
    EMVCo.: EMV card-present transaction percentage. (2015). Accessed 25 Oct 2015
  14. 14.
    Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), pp. 3–14. ACM, New York (2011). doi: 10.1145/2046614.2046618
  15. 15.
    Filiol, E.: Metamorphism, formal grammars and undecidable code mutation. Int. J. Comput. Electr. Autom. Control Inform. Eng. 1(2), 281–286 (2007)Google Scholar
  16. 16.
  17. 17.
    Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Practical relay attack on contactless transactions by using NFC mobile phones. In: Lo, N.W., Li, Y. (eds.) Proceedings of the 2012 Workshop on RFID and IoT Security (RFIDsec 2012 Asia). Cryptology and Information Security Series, vol. 8, pp. 21–32. IOS Press, Amsterdam (2012)Google Scholar
  18. 18.
    Frisby, W., Moench, B., Recht, B., Ristenpart T.: Security analysis of smartphone point-of-sale systems. In: Proceedings of the 6th USENIX Conference on Offensive Technologies. WOOT’12, pp. 1–12. USENIX Association, Berkeley (2012)Google Scholar
  19. 19.
    Gold, S.: The evolution of payment card fraud. Comput. Fraud Secur. 2014(3), 12–17 (2014). doi: 10.1016/S1361-3723(14)70471-3 CrossRefGoogle Scholar
  20. 20.
    Gomzin, S.: Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions, 1st edn. Wiley, New York (2014)Google Scholar
  21. 21.
    Guo, F., Ferrie, P., Chiueh, T.C.: A study of the packer problem and its solutions. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) Recent Advances in Intrusion Detection (RAID), Lecture Notes in Computer Science, vol. 5230, pp. 98–115. Springer, Berlin (2008). doi: 10.1007/978-3-540-87403-4_6
  22. 22.
    Hancke, G., Mayes, K., Markantonakis, K.: Confidence in smart token proximity: relay attacks revisited. Comput. Secur. 28(7), 615–627 (2009). doi: 10.1016/j.cose.2009.06.001 CrossRefGoogle Scholar
  23. 23.
    Haselsteiner, E., Breitfuß, K.: Security in near field communication (NFC)—strengths and weaknesses. In: Proceedings of the Workshop on RFID Security and Privacy (RFIDSec) (2006)Google Scholar
  24. 24.
    Hizver, J., Chiueh, T.C.: Automated discovery of credit card data flow for PCI DSS compliance. In: Proceedings of the 2011 IEEE 30th International Symposium on Reliable Distributed Systems (SRDS), pp. 51–58. IEEE Computer Society, Washington, DC (2011). doi: 10.1109/SRDS.2011.15
  25. 25.
    Huq, N.: PoS RAM Scraper malware: past, present, and future. Tech. rep., Trend Micro Inc. (2014)
  26. 26.
    Huq, N.: Defending against PoS RAM scrapers: current strategies and next-gen technologies. Tech. rep., Trend Micro Inc. (2015)
  27. 27.
    International Organization for Standardization: ISO/IEC 3166-1:1997.: Codes for the representation of names of countries and their subdivisions—part 1: country codes. (1997)
  28. 28.
    International Organization for Standardization: ISO/IEC 4909:2006.: Identification cards—financial transaction cards—magnetic stripe data content for track 3. (2006a)
  29. 29.
    International Organization for Standardization: ISO/IEC 7813:2006.: Information technology—identification cards—financial transaction cards. (2006b)
  30. 30.
    International Organization for Standardization: ISO/IEC 18092:2013.: Information technology—telecommunications and information exchange between systems—near field communication—interface and protocol (NFCIP-1). (2013)
  31. 31.
    International Organization for Standardization: ISO/IEC 7812-1:2015.: Identification cards—identification of issuers—part 1: numbering system. (2015)
  32. 32.
    Juniper Research Limited.: Apple pay and HCE to push NFC payment users to more than 500 million by 2019. (2014). Accessed at 2 Nov 2014
  33. 33.
    Kaspersky Lab.: Kaspersky Security Bulletin 2014. (2014)
  34. 34.
    Lin, D., Stamp, M.: Hunting for undetectable metamorphic viruses. J. Comput. Virol. 7(3), 201–214 (2010). doi: 10.1007/s11416-010-0148-y CrossRefGoogle Scholar
  35. 35.
    Lindorfer, M., Kolbitsch, C., Milani Comparetti, P. Detecting environment-sensitive malware. In: Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection (RAID). Lecture Notes in Computer Science, vol. 6961, pp. 338–357. Springer, Berlin (2011). doi: 10.1007/978-3-642-23644-0_18
  36. 36.
    Line, M.B., Zand, A., Stringhini, G., Kemmerer, R.: Targeted attacks against industrial control systems: is the power industry prepared? In: Proceedings of the 2nd Workshop on Smart Energy Grid Security (SEGS), SEGS ’14, pp. 13–22. ACM, New York (2014). doi: 10.1145/2667190.2667192
  37. 37.
    Liu, K., Tan, H.B.K., Chen, X.: Binary code analysis. Computer 46(8), 60–68 (2013). doi: 10.1109/MC.2013.268 CrossRefGoogle Scholar
  38. 38.
    de Looper, C.: Mobile payment boasts rosy future, but some obstacles remain in play. (2015). Accessed 23 Jan 2015
  39. 39.
    Mitrokotsa, A., Rieback, M.R., Tanenbaum, A.S.: Classifying RFID attacks and defenses. Inform. Syst. Front. 12(5), 491–505 (2010). doi: 10.1007/s10796-009-9210-z CrossRefGoogle Scholar
  40. 40.
    Murdoch, S., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is broken. In: IEEE Symposium on Security and Privacy (SP), pp. 433–446 (2010). doi: 10.1109/SP.2010.33
  41. 41.
    Murdoch, S.J., Anderson, R.: Security protocols and evidence: where many payment systems fail. In: Christin, N., Safavi-Naini, R. (eds.) Proceedings of the 18th international conference on financial cryptography and data security (FC). Lecture Notes in Computer Science, vol. 8437, pp. 21–32. Springer, Berlin (2014). doi: 10.1007/978-3-662-45472-5_2
  42. 42.
    Oak, C.: The year 2014 was a tipping point for NFC payments. (2015). Accessed 15 Jan 2015
  43. 43.
    Oorschot, P.: Revisiting software protection. In: Boyd, C., Mao, W. (eds.) Proceedings of the 6th International Conference on Information Security (ISC). Lecture Notes in Computer Science, vol. 2851, pp. 1–13. Springer, Berlin (2003). doi: 10.1007/10958513_1
  44. 44.
    PCI Security Standards Council.: PCI DSS applicability in an EMV environment—a guidance document. (2010)
  45. 45.
    Rantos, K., Markantonakis, K.: Analysis of potential vulnerabilities in payment terminals. In: Markantonakis, K., Mayes, K. (eds.) Secure smart embedded devices, platforms and applications, pp. 311–333. Springer, New York (2014). doi: 10.1007/978-1-4614-7915-4_13
  46. 46.
    Rieback, M., Crispo, B., Tanenbaum, A.: RFID malware: truth vs Myth. IEEE Secur. Priv. 4(4), 70–72 (2006). doi: 10.1109/MSP.2006.102 CrossRefGoogle Scholar
  47. 47.
    de Ruiter, J., Poll, E.: Formal analysis of the EMV protocol suite. In: Mödersheim, S., Palamidessi, C. (eds.) Theory of Security and Applications, Lecture Notes in Computer Science, vol. 6993, pp. 113–129. Springer, Berlin (2012). doi: 10.1007/978-3-642-27375-9_7
  48. 48.
    Sanders, R.: From EMV to NFC: the contactless trail? Card Technol. Today 20(3), 12–13 (2008). doi: 10.1016/S0965-2590(08)70077-X CrossRefGoogle Scholar
  49. 49.
    Sarkar, S., Mitra, S., Roy, A.: Point of sale vulnerabilities: solution approach. Tech. rep, Infosys (2014)Google Scholar
  50. 50.
    Smith, D.C.: Preventing point-of-sale system intrusions. Tech. rep, Naval Postgraduate School (2014)Google Scholar
  51. 51.
    Suarez-Tangil, G., Tapiador, J., Peris-Lopez, P., Ribagorda, A.: Evolution, detection and analysis of malware for smart devices. IEEE Commun. Surv. Tutor. 16(2), 961–987 (2014). doi: 10.1109/SURV.2013.101613.00077 CrossRefGoogle Scholar
  52. 52.
    Symantec Security Response.: Attacks on point-of-sales systems. Tech. rep., Symantec. (2014)
  53. 53.
    Trend Micro.: Point-of-sale system breaches: threats to the retail and hospitality industries. Tech. rep., Trend Micro Inc. (2014)
  54. 54.
    Trustwave.: Combatting point-of-sale malware. Tech. rep., Trustware Holdings Inc. (2014)
  55. 55.
    Ugarte-Pedrero, X., Balzarotti, D., Grueiro, I.S., Bringas, P.G.: SoK: deep packer inspection: a longitudinal study of the complexity of run-time packers. In: Proceedings of the 36th IEEE Symposium on Security and Privacy, pp. 659–673 (2015). doi: 10.1109/SP.2015.46
  56. 56.
    Upendar, J., Rao, E.G.: An overview of plastic card frauds and solutions for avoiding fraudster transactions. Int. J. Res. Eng. Technol. 2(8), 215–222 (2013)CrossRefGoogle Scholar
  57. 57.
    Vila, J., Rodríguez, R.J.: Practical experiences on NFC relay attacks with android: virtual pickpocketing revisited. In: Proceedings of the 11th International Workshop on RFID Security (RFIDsec). Lecture Notes in Computer Science, vol. 9440, pp. 87–103. Springer, Berlin (2015). doi: 10.1007/978-3-319-24837-0_6
  58. 58.
    Walters, R.: Cyber attacks on US companies in 2014. The Heritage Foundation—National Security and Defense (4289), 1–5 (2014). (issue Brief)
  59. 59.
    Wang, Y.M., Roussev, R., Verbowski, C., Johnson, A., Wu, M.W., Huang, Y., Kuo, S.Y.: Gatekeeper: monitoring auto-start extensibility points (ASEPs) for spyware management. In: Proceedings of the 18th USENIX Conference on System Administration. LISA ’04, pp. 33–46. USENIX Association, Berkeley (2004)Google Scholar
  60. 60.
    Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: Proceedings of the 2003 ACM Workshop on Rapid Malcode (WORM). WORM ’03, pp. 11–18. ACM, New York (2003). doi: 10.1145/948187.948190
  61. 61.
    Yan, W., Zhang, Z., Ansari, N.: Revealing packed malware. IEEE Secur. Priv. 6(5), 65–69 (2008). doi: 10.1109/MSP.2008.126 CrossRefGoogle Scholar
  62. 62.
    Yaneza, J.: GamaPoS: the andromeda botnet connection. Tech. rep., Trend Micro. (2015)
  63. 63.
    Zetter, K.: TJX hacker gets 20 years in prison. (2010)

Copyright information

© Springer-Verlag France 2016

Authors and Affiliations

  1. 1.Dpto. de Informática e Ingeniería de SistemasUniversidad de ZaragozaZaragozaSpain

Personalised recommendations