What is a RAM Scraping Attack

A RAM scraping attack is a type of digital attack which implants malware in a point-of-sale (POS) terminal to steal consumer credit card information.


RAM scraping attacks were first identified by security researchers in an alert issued by Visa in October 2008. Visa noticed that cybercriminals had infiltrated point-of-sale (POS) machines and gained access to unencrypted customer information from the volatile random access memory (RAM) system within those terminals. Targets of those early scrapers tended to be in the hospitality and retail industries. These industries process huge volumes of credit card transactions at a similarly huge number of locations. Investigators noticed an uptick in the introduction of new malware bugs between 2011 and 2013 but POS attacks did not gain widespread attention until the rise of BlackPOS in 2013 and 2014. Hackers used this program to infiltrate the networks of the Target and Home Depot retail chains. The Target and Home Depot attacks coincided with a further multiplication of POS malware variants. In recent years, RAM scrapers have steadily been replaced by more sophisticated malware elements such as screen grabbers and keystroke loggers.


How RAM Scrapers Work

The plastic credit cards that we all carry contain two sets of information. The first is contained within the magnetic stripe and invisible to the human observer. Within the stripe are two tracks of electronic information that identifies the card account and account holder. Track 1 contains an alphanumeric sequence based on a standard developed by the International Air Transport Association (IATA). This sequence contains the account number, cardholder’s name, expiration date and other data in a sequence recognizable by all POS machines. Track 2 uses a shorter but analogous sequence developed by the American Bankers Association (ABA). A third track is almost entirely unused.

The second identifier on a credit card is the three- or four-digit code often located on the back of the card, known as the card verification number (CVN) or card security code (CSC). This number can add an additional layer of security if it is not included in the electronic data contained in the magnetic stripe. The data that a POS terminal collects from Track 1 and Track 2, sometimes including the CVN or CSC in Track 1, are held in the memory of that POS machine until it is periodically purged.

All parties to the credit card transaction chain are beholden to the 12 security requirements detailed in the Payment Card Industry Data Security Standard (PCI DSS), but hackers have taken advantage of gaps in this framework. The gap that is directly vulnerable to RAM scrapers is the temporary storage of large amount of intact credit card data stored in the POS machines’ software for a short period after transacting a sale. Small merchants are a relatively easy target for cybercriminals, but larger retailers like Target and Home Depot are far more attractive due to the massive amounts of data they retain at any given time. So far, hackers have been rewarded for taking the time to attack those big firms’ extensive security systems.