The Washington Post

This malware class was reportedly used in the Target hackings. Here’s how it works.

People shop at a Target store during Black Friday sales in the Brooklyn borough of New York, in this November 29, 2013, file photo. (REUTERS/Eric Thayer/Files)

First it was Target. Then Neiman Marcus. There might still be others. But while the reports of corporate hacking are a shock, the class of malware allegedly used in the attacks is nothing new.

In an interview with CNBC this morning, Target Chairman and CEO Gregg Steinhafel said the hack was related to malware infecting the point-of-sale (POS) systems of the retail giant. Reuters went a step further, reporting that one of the types of malware that hackers relied on to compromise systems at Target and elsewhere is known as a RAM scraper or memory parser.

Target declined to comment on the Reuters report, citing the company's ongoing investigation into the data breach. But the RAM scraper theory is bolstered by a warning issued by the U.S. Computer Emergency Readiness Team (US-CERT) on Jan. 2 about POS malware that says many of the types of POS malware currently being deployed "use a memory scraping technique to locate specific card data."

This category of malware works by searching the random access memory of a POS terminal at retailers, where credit and debit card data and PINs is stored in plaintext so it can be processed. The financial information is then copied and uploaded to remote servers controlled by the bad guys.

RAM scrapers have been lurking around for years. In fact, the 2012 holiday season saw a RAM scraper called Dexter wreak havoc on some retailers. And at least twice within the past year, VISA has warned merchants about memory parsing malware. In April, the credit card company said such attacks were targeting grocery stores. In August, it warned about similar tactics being used against the retail sector at large.

This is a particularly nasty kind of malware — and particularly attractive to nefarious hackers because they have the potential to earn substantial financial returns. The credit card information swiped from the POS terminals can be sold on the black market and used to created cloned cards. As Brian Krebs, the security researcher and journalist who originally reported the Target hack, has noted, that appears to be exactly what is happening now.

Andrea Peterson covers technology policy for The Washington Post, with an emphasis on cybersecurity, consumer privacy, transparency, surveillance and open government.



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments
Most Read



Success! Check your inbox for details.

See all newsletters

Your Three. Video curated for you.
Next Story
Andrea Peterson · January 13, 2014

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.