Anatomy of a Credit Card Stealing POS Malware


Point-of-sale (POS) is the place where a retail transaction is completed. It is the point at which a customer makes a payment to the merchant in exchange for goods or services.
Majority of retail POS systems also include a debit/credit card reader.


What is it?

When attackers compromise the computers and servers that run POS applications, with the intention of capturing payment data.
Hospitality and retail companies are the top targets — hardly surprising as that’s where most POS devices are. But other sectors, such as healthcare, also process payments and so are also at risk.
Stealing payment card data has become an everyday crime that yields quick monetary gains. The goal is to steal the data stored on the magnetic stripe of payment cards, clone the cards, and run charges on the accounts associated with them.
There are more than a dozen RAM scrapers sold in the underground market these days. There’s Dexter, Soraya, ChewBacca, Alina and BlackPOS to name a few.

Card processing involved the following basic steps:

Data in memory: All of the credit card data is temporarily stored in plain text in the RAM of merchants’ POS systems during processing. Cybercriminals use POS RAM scrapers to steal this data.

Data at rest: Merchants’ POS systems store transaction data for a short period of time (e.g., for batching) as well as a partial set of data for a long period of time for record purposes in log files or a database. The data stored is encrypted.

Data in transit: The data is internally transferred over LANs or WANs and externally over the Internet. Encryption is mandatory for data transferred over the Internet / Wireless LAN

Cybercriminals attack transaction data that resides in memory because it is the easiest to target.


Getting a RAM scraper onto a point-of-sale system can be tricky. In some cases cyber criminals infect the systems via a phishing attack that gets employees of the retailer to click on a malicious file or visit a web site where malware is silently installed on their system. Social engineering, vulnerability exploitation, disgruntled or disillusioned employees can also be used by attackers to infect POS systems.


Once on a targeted system, RAM scrapers work by examining the list of processes that are running on the system and inspecting the memory for data that matches the structure of credit card data, such as the account number, expiration date, and other information stored on a card’s magnetic stripe. During a brief period after the cards are first scanned, the account number and accompanying data sit in the POS system’s memory unencrypted while the system determines where to send it for authorization. That’s where the RAM scraper comes in. RAM scrapers are generally injected into running processes and can intercept sensitive data from memory in an instant before it is encrypted.
The magnetic stripe of payment cards has three Data Tracks—1, 2, and 3. Payment cards only use Tracks 1 and 2, which have been defined the in International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC)

Track 1 standard, which is recorded at 210 bits per inch and contains 79 alphanumeric characters

Track 1 Standard

Track 2 standard, which is recorded at 75 bits per inch and contains 40 numeric characters

Track 2 Standard

Example Track 1:


Track 1 Data

Track Data Value
% Start
B Format Code (B=Bank)
5874390765438112 Primary Account Number (PAN)
^ Separator
LEE Last Name
/ Name Separator
BRAD First Name
^ Separator
11 Expiration Year
03 Expiration Month
101 Service Code (3 digits)
000000001000000003000000 Discretionary Data
? End


Credit cards also contain a three- to four-digit number printed or embossed on either the front or back side called the “CVV/CVV2,” “Card Verification Number (CVN),” “Card Security Code (CSC),” “Card Validation Code (CVC2),” It is a security verification feature used in “card-not-present” transactions (e.g., made via telephone, mail order, online, etc.) wherein merchants cannot physically verify if cards are present for transactions. This number is not stored in Tracks 1 and 2 and without it; a perfect counterfeit credit card cannot be created.

POS RAM scrapers generally use regular expression (regex) matches to search for and harvest Tracks 1 and 2 credit card data from the process memory space in the RAM. An example of regex for finding Track 1 data:


Depending on the complexity of the regex, it might also incorrectly capture garbage data from the RAM in addition to valid card data.

POS RAM scrapers implement Luhn validation to check the card data harvested prior to exfiltration.

Luhn Algorithm

Luhn Algorithm

Add the sum to the original number we dropped in the beginning. If mod 10 of the resulting number is zero (85+5) mod 10 = 0, it is a valid credit card number.

What can we do?

  • Restrict remote access. Limit remote access into POS systems by third-party companies.
  • Enforce strong password policies.
  • Reserve POS systems for POS activities. Do not allow staff to use them to browse the web, check email, or play games.
  • Implement best practices (Patching, Access control, Vulnerability scanning, Auditing etc.)




Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.