RAM scraper malware harvests customers’ card data and PIN numbers by exploiting a security vulnerability in the moment between when the card is swiped and that information is encrypted by the retailer’s POS system. Macmillan says this kind of malware is much harder to detect than card skimmers because it’s usually installed remotely on the retailer’s network via hacking or infected email attachments and hyperlinks.
This malware is stealthy – Macmillan says it can be easily deployed across every store in a business network, and deleted remotely leaving no criminal evidence. It can affect any retailer using an internet-connected POS system instore.
“Until recently RAM scraper breaches had been largely confined to North America but cybercriminals are now increasingly turning their attention to Australian companies,” he says. “The busy Christmas period is looming and international cybercriminals may well decide it is a good time to start looking further afield for opportunities in New Zealand.”
Many of New Zealand’s largest retailers have Australian owners, which Macmillan says makes New Zealand a likely next target. He believes large multi-store retailers’ high volume of transactions makes this kind of business an attractive mark.
All retailers need to take cyber security seriously, Macmillan says, pointing out that RAM scrapers are just one of the many different tools used by criminals to attack businesses online. He says it’s vital for retailers to take action sooner rather than later, particularly if they are using older POS operating systems and applications.
“Like the majority of businesses, many New Zealand retailers are not doing enough to protect themselves so they really do need to wake up to the cybersecurity threat that they are under.”
Guy Worsley, senior commercial broker at Rothbury Insurance Brokers, says RAM scrapers have been prevalent around the world since 2008. They’re predominantly active in the US, but also target Europe and Australasia. Retailers are the biggest targets, but hotels, food services, and healthcare businesses can also be affected: “Anywhere there’s a point of sale.”
Worsley advises retailers to liaise with their IT security management companies to understand their vulnerability, noting that users are the weakest point of any security system.
“The weakest link in our cybersecurity system is me opening an email and letting malware in.”
A change in login details or a denial of access requiring the changing of a password can be signs of a security breach, Worsley says. He says the increased retail spending kicking in now and continuing through Christmas until the end of January will see increased vulnerability to RAM scraper style attacks.
Worsley says customers defrauded by a RAM scraper attack are likely to be protected by their bank, which will often note fraudulent activity and take steps to address it. However, if the retailer is found to have been negligent in relation to the attack, a cyber insurance policy can protect its liability in this situation.
Kaon Security has provided six tips to help retailers guard against RAM scraper attacks:
1. Replace POS equipment’s default password settings with strong passwords that include a mix of upper and lower case letters, numerals and symbols.
2. Hackers target older operating systems and applications so only use current, supported versions of POS operating systems whose updates address the latest security vulnerabilities. Many retail systems still run old versions of Windows software that cannot receive new security patches so it is best to upgrade to the latest version of Windows.
3. As a bare minimum, install anti-virus software protection on the POS system and keep it up-to-date. A better option is to install a full endpoint protection solution, which not only helps to prevent malware from getting into the system but also adds another layer of security protection at each POS terminal.
4. Review network design and configuration so as to segment the network in a manner that monitors traffic to and from the POS system, and deploy firewalling to prevent intrusions.
5. If remote connectivity is required then enable it only when needed. Contact your POS vendor or integrator to take immediate steps to disable remote access when not in use.
6. Educate and regularly remind all employees (from the top to the bottom) about the risk of opening emails or clicking links from sources they do not know.