First it was Target. Then Neiman Marcus. There might still be others. But while the reports of corporate hacking are a shock, the class of malware allegedly used in the attacks is nothing new.
In an interview with CNBC this morning, Target Chairman and CEO Gregg Steinhafel said the hack was related to malware infecting the point-of-sale (POS) systems of the retail giant. Reuters went a step further, reporting that one of the types of malware that hackers relied on to compromise systems at Target and elsewhere is known as a RAM scraper or memory parser.
Target declined to comment on the Reuters report, citing the company's ongoing investigation into the data breach. But the RAM scraper theory is bolstered by a warning issued by the U.S. Computer Emergency Readiness Team (US-CERT) on Jan. 2 about POS malware that says many of the types of POS malware currently being deployed "use a memory scraping technique to locate specific card data."
This category of malware works by searching the random access memory of a POS terminal at retailers, where credit and debit card data and PINs is stored in plaintext so it can be processed. The financial information is then copied and uploaded to remote servers controlled by the bad guys.
RAM scrapers have been lurking around for years. In fact, the 2012 holiday season saw a RAM scraper called Dexter wreak havoc on some retailers. And at least twice within the past year, VISA has warned merchants about memory parsing malware. In April, the credit card company said such attacks were targeting grocery stores. In August, it warned about similar tactics being used against the retail sector at large.
This is a particularly nasty kind of malware — and particularly attractive to nefarious hackers because they have the potential to earn substantial financial returns. The credit card information swiped from the POS terminals can be sold on the black market and used to created cloned cards. As Brian Krebs, the security researcher and journalist who originally reported the Target hack, has noted, that appears to be exactly what is happening now.