David C. Smith

June 2014

Thesis Advisor: 	Neil Rowe
Second Reader:	Garrett McGrath

Approved for public release;distribution is unlimited



Form Approved OMB No. 0704–0188

Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202–4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704–0188) Washington DC 20503.

1. AGENCY USE ONLY (Leave blank)



June 2014


Master’s Thesis





6. AUTHOR(S) David C. Smith


Naval Postgraduate School

Monterey, CA 93943–5000






11. SUPPLEMENTARY NOTES The views expressed in this thesis are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government. IRB Protocol number ____N/A____.


Approved for public release;distribution is unlimited



13. ABSTRACT (maximum 200 words)


Several major United States retailers have suffered large-scale thefts of payment card information as the result of intrusions against point-of-sale systems (smart cash registers).  Point-of-sale attacks present a growing threat and can constitute a homeland-security problem due to a trans-national cyber crime element.  This thesis presents results of a survey of point-of-sale intrusions that reached at least the start of criminal investigation.  The survey showed that attacks were generally quite simple, and predominantly involved guessing passwords and subsequent installation of keyboard loggers.  That suggests that countermeasures can be relatively simple although they must overcome organizational inertia.  Our analysis leads to several recommendations to improve point-of-sale system security.



14. SUBJECT TERMS Point-of-Sale Systems, Cybercrime, Payment Card Systems













NSN 7540–01–280–5500                                                                                                                         Standard Form 298 (Rev. 2–89)

                                                                                                                                                                  Prescribed by ANSI Std. 239–18


Approved for public release;distribution is unlimited






David C. Smith

Assistant to the Special Agent in Charge, United States Secret Service

B.A., The University of Michigan, 1989

M.A., The University of Michigan, 1990



Submitted in partial fulfillment of the

requirements for the degree of





from the




June 2014




Author:                       David C. Smith




Approved by:             Neil Rowe

Thesis Advisor




Garrett McGrath

Second Reader




Cynthia Irvine

Chair, Cyber Academic Group





Several major United States retailers have suffered large-scale thefts of payment card information as the result of intrusions against point-of-sale systems (smart cash registers).  Point-of-sale attacks present a growing threat and can constitute a homeland-security problem due to a trans-national cyber crime element.  This thesis presents results of a survey of point-of-sale intrusions that reached at least the start of criminal investigation.  The survey showed that attacks were generally quite simple, and predominantly involved guessing passwords and subsequent installation of keyboard loggers.  That suggests that countermeasures can be relatively simple although they must overcome organizational inertia.  Our analysis leads to several recommendations to improve point-of-sale system security.




I.    Introduction............................................................................................................. 2

A.    Problem statement................................................................................ 3

B.    Purpose of study..................................................................................... 4

C.    Limitations..................................................................................................... 4

D.    methodology............................................................................................... 5

II.    Review of Literature.......................................................................................... 7

A.    Point of sale systems and attacks............................................. 8

B.    Non-volatile forensic artifacts................................................ 10

C.    volatile forensic artifacts.......................................................... 11

D.    Network based artifacts................................................................ 12

III.     Point of Sale System Breaches – A Homeland Security Perspective    14

A.    payment card system compromises – a historical perspective   14

B.    recent high-profile point-of-sale system compromises 15

C.    Recent Public Discourse Over Point of Sale Data Compromises 16

D.    Subway – A Case Study........................................................................ 17

E.    The Transnational Element in Payment System Breaches   19

F.    The homeland security connection.......................................... 23

IV.    A survey of criminal investigations of point-of-sale system intrusions     26

A.    Nature and purpose of research.............................................. 26

B.    Survey methods...................................................................................... 27

C.    results......................................................................................................... 28

V.    forensic indicators of point of sale system attacks............. 31

A.    Point-of-sale system attack characteristics................. 31

B.    A forensic case study........................................................................ 33

C.    Sample forensic indicators of point-of-sale system intrusions            37

VI.    recommendations for preventing point-of-sale intrusions 40

A.    Technical security recommendations.................................... 40

B.    A point-of-sale-system security awareness campaign 42

appendix............................................................................................................................ 44

List of References.................................................................................................... 50

Initial Distribution List.......................................................................................... 57





Figure 1.    Common trans-national criminal underground “carding” hierarchy....... 22

Figure 2.    The Albert Gonzalez Carding Organization................................................ 23




Table 1.    Payment Card and Fraud Losses for Major Breaches................................ 24

Table 2.     Three Largest Payment-card Breaches and Primary Method of Compromise   24

Table 3.    Intrusion Methods for Major Point-of-sale Intrusions…………………30






ASCII                          American Standard Code for Information Interchange

ATM                            automated teller machine

CVV                            card verification value

DHS                           The Department of Homeland Security

HVAC                         heating, ventilating, and air conditioning

IP                                Internet Protocol

MAC                           Media Access Control

PCAP                         packet capture file format

PIN                             personal identification number

RAM                           random access memory

RDE                           remote desktop environment

TCP                            Transmission Control Protocol

UDP                           User Datagram Protocol

USC                           United States Code

USSS                         United States Secret Service







I would like to thank Dr. Neil Rowe for his expert guidance and direction on this project.  Dr. Rowe provided valuable support and suggestions, and he skillfully kept me on track when I drifted off course.


I also would like to thank Garrett McGrath for his comments and guidance on this project.  This work is much better thanks to his mentorship.


Finally, I would like to thank my colleagues of the United States Secret Service for the tremendous support and encouragement that I received throughout this entire process.




I.             Introduction

On December 19, 2013, the Target department store chain, the second largest retailer in the United States, announced in a press release that hackers had exfiltrated approximately forty million credit and debit-card numbers, from November 27 through December 15, 2013 (Target, 2013).  The criminals transferred the stolen data to a server in Russia (Raff, 2014).

Since the initial news, there have been numerous postings and announcements from Target, security blogs, and security research companies regarding the intrusion.  Although the specific details are still unfolding as of the writing of this thesis, there has been significant attention focused on Target’s point-of-sale terminals, the locations where customers physically swipe their credit or debit cards for payment.

The Target network intrusion, and the subsequent news that the Nieman Marcus retail chain suffered a similar hack (Krebs, 2013; Krebs, 2014, January 10), has brought national attention to point-of-sale systems and the potential for significant fraud due to compromised payment card information. On February 04, 2014, high-level executives from Target and Nieman Marcus prepared written testimonials in advance of several congressional hearings on retail data breaches the week of February 05, 2014 (Associated Press, 2014; United States Senate, 2014).

While the Target data breach attracted significant national attention due to the magnitude of the data losses, the compromise of credit and debit card numbers due to network intrusions of point-of-sale systems has been a problem for several years. Trustwave, an incident response and security research company, identified point-of-sale system malware as far back as July 2008 (Percoco, Sheppard, and Ilyas, n.d.). Much of the discussion among Congress, the Federal Trade Commission, the retail industry, and security experts has focused on two areas: whether the United States should move to the chip-and-personal identification number (PIN) system used in other parts of the world, and whether Congress should pass a federal data breach notification law that would require businesses to notify customers if card data had been compromised (Hans, 2014).

These two suggestions—a Chip-and-PIN system and a federal data breach law—will do nothing to address the question of why hackers so easily breach point-of-sale systems. Chip-and-PIN systems will make it more difficult for criminals to manufacture counterfeit payment cards, and therefore may remove some of the incentive for criminals to attempt point-of-sale system intrusions, but moving to such a system will not prevent point-of-sale intrusions themselves.  Although law enforcement agents and forensic specialists are still investigating the Target intrusion, the latest public information suggests that hackers infiltrated the Target network using network credentials stolen from a company contracted by Target to manage the latter’s climate control (HVAC) systems (Krebs, 2014 February 6).

A.           Problem statement

Congressional testimony concerning the recent data breaches against Target and Neiman Marcus has brought much needed focus and attention on the problem of payment card security throughout the retail industry (Douglas, 2014). Members of Congress and corporate executives have suggested migrating toward a more secure PIN-and-Chip card system and passing Federal legislation concerning data breach notifications and consumer protection (Associated Press, 2014).  Data-breach notification laws have their own intrinsic value, but if stronger information security practices reduce the number and impact of point-of-sale system intrusions, there will be less of a need for data-breach notification laws.

B.           Purpose of study

The Department of Homeland Security, in its Quadrennial Homeland Security Review Report, listed several departmental goals (Department of Homeland Security, 2010). Among these are “Create a Safe, Secure, and Resilient Cyber Environment” and “Promote Cybersecurity Knowledge and Innovation”. Within the Department of Homeland Security, the United States Secret Service shares jurisdictional authority to investigate network intrusions against point-of-sale systems (18 U.S. Code § 1030). The U.S. Secret Service works closely with private forensics firms and other law enforcement agencies to develop forensic knowledge and techniques related to point-of-sale system breaches. By analyzing criminal investigations into point-of-sale systems, this information will equip the Department of Homeland Security to improve public awareness efforts toward securing point-of-sale systems.  We have an additional goal of advancing the discussion of and research into forensic tools and techniques in support of point-of-sale system criminal investigations.

C.           Limitations

In conducting research and analysis on the subject of point-of-sale system data breaches, we encountered several limitations:

·                     There were no reliable statistics regarding how many criminal intrusions have taken place targeting retail point-of-sale systems. For similar reasons, there are no specific data regarding actual fraud losses to financial institutions, retail establishments, and consumers.

·                     To protect the integrity of active investigations and the privacy of victims, only aggregated data will be discussed. Specific case studies will be limited to those with publicly released judicial documents.

·                     In some cases used to supply the aggregate data, specific items such as the name and characteristics of malware used were not available. In some cases, for example, the victim or point-of-sale system vendor performed a cleanup of the system thus eliminating evidence.

D.           methodology

This thesis will evaluate several notable point-of-sale data breaches based on publicly available information, including publicized attacks against the Subway sandwich chain and the recent theft of card data from Target and Neiman Marcus. It will examine open-source documents illustrating the trans-national criminal element of online card data compromises. Finally, it will reference a variety of data breach studies, both point-of-sale-specific and not, from major forensic firms including Trustwave and Verizon.

To develop insight into individual data breaches, this thesis examined forty-two active and recently closed criminal investigations by agents of the U.S. Secret Service. Our goal in performing these case studies was to determine if there were specific trends related to the nature of the point-of-sale system intrusion (i.e., how did the hackers break in), the hacking exploits or malicious code used, the duration of the attacks, and how the intrusion was discovered.

Finally, as a model for a potential mitigation strategy for the problem of point-of-sale system intrusions, the thesis gives specific recommendations for securing systems and maintaining good security practices.  It also reviews an ongoing successful Federal crime-prevention program that may serve as a model for a similar effort to reduce point-of-sale system intrusions through public education.












II.           Review of Literature

Point-of-sale systems typically include one or more terminals, a back-of-house server, and a connection to the Internet or to a corporate network.  The terminals usually consist of a standalone card terminal (common in supermarkets and department stores, for example) connected to a computer, or a card terminal connected to a touch-screen monitor (common in restaurants and bars, for example).  These terminals read the track data from cards and forward the information to a back-of-house server.  The back-of-house server collects card data from the merchant’s terminals and relays it to a payment processor for card approval or denial.  Larger corporations may use a different configuration in which card data is sent through a corporate office before it reaches a payment processor.  Point-of-sale systems include card reading hardware (i.e. the terminals) and software to read data and forward the data to card processors.  Most point-of-sale systems for small and medium-sized businesses use standard Microsoft Windows desktops to run the terminals, and use a Windows server as the platform for the back-of-house server.  Figure 1 illustrates two common point-of-sale system topologies, the first for a small business and the second for a larger corporation (Trustwave, 2014).








Figure 1:  Point-of-sale system topologies for small and large merchants



A.           Point of sale systems and attacks

Point-of-sale system attacks are new in terms of published books and professional literature, but there has been some prior work assessing specific threats.

            Hizver and Chiueh performed an analysis of point-of-sale systems software processes on a Windows server in a virtual environment (Hizver and Chiueh, 2012). The authors showed that once the memory locations of the processes were located, a random access memory tool could simply search for ASCII strings consistent with credit card numbers, i.e., 13- or 16-digit strings beginning with certain digits (e.g. a 4 for a Visa or a 5 for a MasterCard).  This in fact is the premise behind memory scraping malicious code.

Venter et al describe a suite of malware files that currently exist in the wild including “ramsys32.sys,” a malware controller application known as “loader.exe,” and a dynamic link library called “searcher.dll” (Ventner, Sheppard, and Percoco, 2010). The authors explain how these three malicious files work together to scan for and copy out card track data once such data appears in memory. “Searcher.dll” appears in numerous cases examined in Chapter IV.

Bowles et al. propose a method for exploiting point-of-sale system PIN entry devices (Bowles, Cuthbert, and Stewart, 2005). Their analysis focuses on physical attacks against such devices, as for example inserting a hardware or software sniffer inside the point-of-sale and PIN hardware. The Michaels craft store chain suffered such an attack against their physical point-of-sale and PIN devices in 2011 (Krebs, 2011).

Many small businesses rely on a point-of-sale system vendor to perform technical updates or repairs. In order to provide real-time customer support, especially during non-business hours, some point-of-sale system vendors install a remote desktop environment (RDE) product on the business’s point-of-sale system. Many hackers who target point-of-sale systems begin by gathering a list of common network ports associated with well-known remote desktop products. For example, PC Anywhere typically runs on TCP port 5631 or 65301 for data, and UDP port 22 or 5632 for status transmissions. Hackers will scan IP addresses connected to restaurants or businesses, looking for indications that those ports are open.  Port scanning is a long established technique, and the pre-eminent tool for port scanning is Nmap. There are many options available for the Nmap tool (Lyon, 2008).

B.           Nonvolatile forensic artifacts

For point-of-sale system intrusions, investigators focus on a variety of volatile and non-volatile forensic clues. In general, volatile artifacts are those elements that are in main memory and will disappear if the network connection is lost or if the affected machine is restarted. Non-volatile forensic artifacts are those items that are typically written to disk, such as a file or Windows Registry key. In general, Secret Service best practices call for agents to acquire both kinds of forensic data- if the circumstances of the investigation allow for such collection.

In non-volatile forensic data collection, an important focal point is the Windows Registry, which is a large collection of user and system settings. Many types of malware used in point-of-sale system intrusions leave or modify one or more identifiable keys in the Windows Registry.

Carvey proposes a method for analyzing volatile, semi-volatile, and archived information on Microsoft Windows-based computers (Carvey, 2012). A number of Carvey’s techniques, for example acquiring and analyzing the Windows Registry hives from the live machine, are particularly useful for analyzing compromised Windows based point-of-sale terminals (the terminals where employees place orders and swipe cards for processing) and back-of-house servers (typically a server that transfers card data and approval information between the terminals and external payment networks) (Carvey, 2011). Many forms of malware used in point-of-sale system intrusions leave specific traces in Registry keys, and Carvey’s techniques for Registry hive acquisition and analysis work well with these types of investigations.

The most common approach to malware detection relies on identifying suspicious files by comparing the checksum (many-to-one mapping) of a questionable file against a list of known checksums linked to known malware. Comparing checksums is a simple task that can be performed with a variety of command line or graphical user interface tools. Since most point-of-sale systems use standard commercial software, including underlying operating systems, checksum verification tools can easily be installed and configured on point-of-sale systems to monitor for malicious code with known checksum values. This technique is limited against new (zero-day) exploits for which checksums of the malicious code will not be available.

Ligh et al. propose a number of additional techniques for analyzing files, Windows registry keys, and memory captures for indications of malicious code infection (Ligh et al. 2011). Their analysis of malware-laced documents (e.g., Adobe pdf files, Microsoft Office documents) is beneficial due to the fact that some point-of-sale system users conduct non-business Internet activities (e.g. checking email or browsing Web sites) on point-of-sale terminals, and thus are potential targets for phishing or other forms of social engineering. 

C.           volatile forensic artifacts

Common examples of volatile data are the contents of random-access memory (RAM), running processes, and active network information. Information regarding active processes and network information can be obtained from a series of simple command line tools (e.g., the netstat command), but memory (RAM) capture files may include additional information, such as hidden processes and remnants of terminated network data.

 Okolica and Peterson propose a method for analyzing Windows based memory samples for information regarding, among other things, running processes (Okolica and Peterson, 2010). Carvey and Ligh demonstrate the value of studying active processes on a potentially infected or compromised Windows machine (Carvey 2012; Ligh et al. 2011).  Point-of-sale system malicious code may initiate one or more running processes on the infected system (hidden or not), therefore these techniques may assist investigators.

Hejazi et al describe a method of “application fingerprinting” to extract information beyond string pattern matching and plain text information such as processes (Hejazi, Talki and Debbabi 2009). Furthermore, they explain a method for studying the operating system call stack and stack frame to search for useful information in a memory capture.  This method could be useful to look for indications of malicious code not easily identifiable through simple string searches.

Beverly et al explain a method for extracting network packet data from memory samples (Beverly, Garfinkel, and Cardwell, 2011). Their work describes how network packet artifacts, such as Internet Protocol (IP) addresses, can be recovered, even after network connections have been terminated.  This technique could prove valuable if stolen card data has recently been exfiltrated (either manually or through an automated process) by possibly yielding IP addresses or Domain Name Service information.

D.           Network-based artifacts

A survey done for this thesis will suggest that most point-of-sale system intrusions use fairly simple attack methods and forms of malware. Attacks generally make little or no effort to hide or disguise the file names or process names of their malicious code. Nevertheless, it is useful to study network packet captures of compromised point-of-sale terminals to analyze indications of unauthorized card data transmissions. Furthermore, while most small businesses offer few opportunities for log-file analysis or forensic evaluation of routers and network switches, there are useful methods involving them.

Chappell provides a discussion of Wireshark, the most popular tool for acquiring and analyzing network packets (Chappell, 2012). She suggests several security related scenarios in which network packet captures would be useful for network forensics, such as when an infected machine sends out unauthorized data or attempts to contact a command and control server. In some forms of point-of-sale attacks criminals will establish an automated file transfer protocol (FTP) or simple mail transport protocol (SMTP) service that will automatically send payment-card collection files to an external file server or free Webmail address.

III.          Point of Sale System Breaches: A Homeland Security Perspective

A.                       payment card system compromises: a historical perspective

Despite the significant number of credit and debit-card accounts compromised from the Target point-of-sale system intrusion, it is not the largest payment-card data breach in history. That dubious distinction belongs to Heartland Payment Systems, a payment processing company in New Jersey. In January 2009, Heartland Payment Systems disclosed that hackers had broken into their network and stolen millions of credit-card numbers (Acohido, 2009). In a Federal indictment against the three defendants, the United States Government declared that hackers had compromised 130 million credit and debit card numbers (U.S. v. Gonzalez). Prior to the Heartland Payment systems breach, the largest card theft targeted TJX, parent company of clothing retailers TJ Maxx and Marshalls. Over an eighteen-month period in 2005 and 2006, hackers infiltrated the TJX point-of-sale network and garnered approximately 94 million account numbers (Berg, Freeman, and Schneider, 2008).

A study by FICO, a company that specializes in financial analytics and credit scores, identified point-of-sale fraud as far back as 2001 (FICO, 2010). In 2005, researchers from the Electronic Warfare Association-Canada published a paper describing physical attack scenarios against magnetic stripe-based point-of-sale system terminals (Bowles, Cuthbert, and Stewart, 2005). In 2008, the incident response company Trustwave published a report indicating that point-of-sale system hackers were shifting tactics away from data at rest attacks (e.g. SQL Injection attacks or “smash and grab” attacks, in which an intruder breaks into a network to steal one or more flat files containing payment-card data) toward data-in-memory attacks. Trustwave reasoned that as fewer organizations stored payment card data, and such data was encrypted from the time of the swipe to the verification at a card processing company, the hackers realized the only real opportunity to obtain unencrypted card data was during the brief period of time when the card data was in plain text in the point-of-sale terminal’s random access memory (Trustwave, 2008). Indeed, “memory scraping,” which refers to the act of capturing card data as it briefly enters an unencrypted state in a point-of-sale terminal’s random access memory, is the attack of choice for hackers who target data in transit. Trustwave identified memory scraping as the dominant method of capturing card data in its most recent analysis of payment-card system compromises, the 2013 Global Security Report (Percoco et al., 2013).

B.           recent high-profile point-of-sale system compromises

On December 19, 2013, the Target department store chain announced in a press release that hackers compromised approximately 40 million credit and debit card numbers in a three-week period (Target, 2013, December 19). Target released another statement the next day assuring its customers that only credit and debit card track data (name, card number, expiration date, and CVV) had been stolen. Target emphasized that PIN codes for debit-card transactions had not been compromised (Target, 2013, December 20). Target added that customers who shopped at their online site (i.e., were not affected, suggesting that the intruders compromised the point-of-sale system, the mechanism that processes cards for in-store purchases. On January 12, 2014, Target CEO Gregg Steinhafel confirmed that the data breach included malware infections of point-of-sale terminals (Quick, 2014). In February 2014, investigators focused on Fazio, a company Target contracted for HVAC work. In a publicly released statement, Fazio claimed that they were also victims of the Target data breach, and that Fazio followed industry best practices for information security (Fazio, n.d.; Krebs, 2014, February 12).

Less than a month after Target disclosed its large-scale data breach, representatives from the Neiman Marcus retail chain announced that the high-end retailer had also suffered a network intrusion, compromising 1.1 million credit and debit card numbers (D’Innocenzio, 2014). In a statement, Neiman Marcus revealed that their point-of-sale system was compromised over a period of more than three months (Katz, 2014). According to a Reuters report, malware known as a “memory scraper” was used in both the Target and Neiman Marcus attacks (Finkle and Hosenball, 2014).

The exact potential fraud losses for these two data breaches, affecting over forty-one million credit and debit cards, would be difficult to determine, as each cardholder has a distinct credit limit or debit balance. If we use the United States Sentencing Commission standard of $500 loss per card (United States Sentencing Commission, 2013), then the Target and Neiman Marcus breaches alone could yield over twenty billion dollars in fraud.

C.           Recent Public Discourse Over Point-of-Sale Data Compromises

Even after fifteen years of publicity surrounding point-of-sale system compromises, including high-profile criminal arrests and major intrusions against TJX and Heartland Payment Systems, the recent Target and Neiman Marcus data breaches generated significant public attention. In February 2014, Congress held hearings on the Target and Neiman Marcus intrusions. The focus of the hearings, based on testimony of retail executives and comments and questions by members of Congress, centered on the discussion of whether and when the United States retail and financial sectors should move from magnetic-stripe cards to PIN-and-chip based cards. While a move to PIN-and-chip cards will make the counterfeiting of credit and debit cards more difficult, it will not prevent point-of-sale system intrusions themselves since it does not affect memory scraping(Associated Press, 2014).

A secondary discourse centers on whether the United States Congress should pass a national data-breach notification law. Such a law would require retailers and financial institutions to notify cardholders when a data breach has occurred. A Federal data breach law would supersede the current patchwork of over forty state-level data breach laws. Congress has attempted to pass a Federal data-breach notification law several times over the past decade without success, but the recent focus on Target and Neiman Marcus may provide fresh support for such a law (Selyukh, 2014).

What is absent in the flurry of press releases, Congressional hearings, and news interviews is a discussion of why United States retailers and financial institutions continue to suffer point-of-sale system compromises, despite a long and well publicized history of major breaches.

D.           Subway – A Case Study

On May 04, 2011, a Federal Grand Jury in New Hampshire indicted six individuals, including four Romanian nationals, for hacking into numerous point-of-sale systems. According to the grand jury, the group of hackers broke into point-of-sale systems of over 150 Subway sandwich franchises and fifty other retailers (U.S. v. Oprea et al.). The hacking group ultimately compromised over 100,000 cards, leading to more than $17.5 million in unauthorized charges and remediation expenses (DOJ, 2013).

The grand jury alleged that the group of six hackers broke into Subway and other retail point-of-sale systems over a period of approximately three years, from April 2008 until March 2011. The grand jury identified the following typical sequence of events:

1. The suspects scanned target systems looking for vulnerable remote desktop software (i.e., port scanning for standard ports used by common remote desktop software and services).

2.   The suspects breached the point-of-sale systems by using easy-to-guess passwords or password-cracking tools against the remote desktop software.

3.   Once the hackers had access to the point-of-sale system, they installed a back-door (specified in the indictment as xp.exe). This tool allowed the suspects to regain entry and introduce additional software tools.

4.   The hackers installed a keylogger (not specifically identified in the indictment) that captured card track data.

5.   The hackers exfiltrated the stolen card track data to a series of “dump sites” (FTP servers) maintained by the hackers.

6.   From overseas locations, the hackers would transfer the stolen card data from the dump sites to a central file server controlled by the hackers.

7.   The hackers would “monetize” (i.e., profit) from the theft of stolen card data by either selling the card data in the criminal underground, or by making unauthorized charges against the compromised accounts. In some instances, “the members created phony plastic credit cards by using hardware and software devices (including magnetic stripe readers/writers) to encode blank plastic cards with the stolen credit card data. They then used these encoded plastic cards to make unauthorized charges with various merchants, primarily located throughout Europe (U.S. v. Oprea et al.).”

Since the indictment, three of the six defendants have pled guilty and have been sentenced. Two unnamed suspects have yet to be identified, and one of the named suspects remains at large in Romania.

The Subway case is not the largest in history, nor is it notable for any form of sophisticated malware or hacking techniques. In many ways, though, the Subway case is a classic model of criminal intrusions into point-of-sale systems. The attackers often begin by running a port scan against IP addresses that belong to restaurants and other retailers, looking for port numbers that correspond to remote desktop software or services such as PC Anywhere, Microsoft Remote Desktop, LogMeIn, or GoToMyPC. Remote access software (sometimes known as a remote desktop environment) is common on point-of-sale systems to allow point-of-sale technicians (usually from the company that installed the point-of-sale system) to remotely log in and troubleshoot issues with a business’s point-of-sale system.  Unfortunately these common remote-access products use common port numbers, and the point-of-sale merchants often establish common (de-facto default) user-name and password combinations (Trustwave, 2014).  When the intruders find remote desktop ports open, they try easy to guess passwords, default passwords, or employ brute-force password cracking methods. Once inside the restaurant’s network, the attackers then employ a keystroke logger or memory scraper to capture card track data. The stolen data is then uploaded to an external file server, usually called a “dumps site,” where the criminals later aggregate and sort the card data by card type (Visa, MasterCard, American Express) and location of the issuing bank.

It is worth noting that all of the named suspects, including the three that have pled guilty, are from overseas. Moreover, a portion of the fraud occurred in Europe. The Subway case is but a mere example of how cyber crime has rendered international borders less important, at least for the criminals that gain illegal access to retail establishments, compromise thousands or even millions of cards, then use these accounts to make fraudulent purchases or sell them on “dumps sites,” where anyone with Internet access can purchase credit or debit card data with which to make counterfeit cards. The transnational element of cybercrime, which is prevalent with point-of-sale breaches, presents a unique attack against the financial health of the United States.


E.                       The Transnational Element in Payment System Breaches


On August 07, 2009, French police, using information provided by the United States Secret Service, arrested Vladimir Horohorin as he boarded a plane in Nice on his way back to Russia (DOJ, 2010). According to a Grand Jury indictment, Horohorin, also known as “BadB,” operated a fully automated “dumps site,” A “dumps site” is a Website devoted to the buying and selling of stolen card data (U.S. v. Horohorin). The United States Department of Justice declared that Horohorin ran one of the largest “dumps sites” in the world until his arrest (DOJ, 2012).

On his Website, Horohorin posted two animated videos glorifying the “carder” lifestyle. In his first video, a Russian and an Italian carder are shown enjoying the fruits of their criminal activities while various United States citizens discover that their account balances are empty (Zetter, 2010). In the second video, the Russian hacker is shown accepting a medal from Russian President Vladimir Putin. At the end of the second video, a statement in broken English reads, in part, “we awaiting for new dumps and new incomes, we awaiting you to fight the imperialism of USA. That way we invest U.S. funds in Russian economy and make it grow bigger! (BadB cartoon, n.d.)”

It is impossible to measure the degree to which anti-American sentiment motivates Russian or other international hackers. There is no question, however, that proceeds from card breaches are changing the dynamics of the worldwide underground economy. In the past three years news organizations have published no fewer than three detailed reports about the Romanian town of Ramnicu Valcea, also known as “Hackerville.” According to these articles, proceeds from online fraud and hacking have brought sudden and suspicious wealth to a previously poor city of 100,000 citizens (Bhattacharjee, 2011; Bran, 2013; Odobescu, 2014).

 It is impossible to determine the exact involvement and extent of foreign criminals in the world of payment system intrusions and fraud. Not all data breaches are reported to law enforcement, and even in the cases that law enforcement investigates, only a small portion of the suspects are identified, let alone prosecuted. Furthermore, payment system breaches generally involve three types of criminal activity:

1.   The illegal network or system intrusion into the point of sale system or payment system, which leads to theft of credit and debit card numbers, expiration dates, and in some cases PIN codes and personal information.

2.   The trafficking of numbers of credit and debit cards. Most of the buying and selling of bulk quantities of credit and debit card data is done through Websites variously called “dumps sites,” “carding portals,” or “carding forums.” Some of the more infamous of these were and are Shadow Crew, Carderplanet,, and In general the criminals that steal credit and debit card numbers sell stolen card data to these “carding” or “dumps” sites. While the criminals will often keep a portion of stolen card data for their own personal use, they sell the vast majority to “carding” sites.

3.   The street use of stolen credit and debit card numbers. While the first two kinds of criminals can and often do use compromised card data for their own fraudulent purchases, a large portion of the criminal proceeds occurs by selling data to street-level criminals. For credit-card information, the end-user criminals will make fraudulent purchases online or re-encode the compromised information onto counterfeit credit cards to use in person at stores, hotels, etc. For debit-card information, criminals will make fraudulent purchases online, re-encode the data onto counterfeit cards to make in person fraudulent purchases, or use the counterfeit cards to make cash withdrawals at Automated Teller Machines (ATM), an activity known as a “cash out.” In some instances, a criminal organization will produce hundreds or thousands of counterfeit ATM cards, using stolen card data and PIN codes. The criminal organization will recruit “mules,” or accomplices who are willing to use the fraudulent cards at ATM machines around the world. Generally the “mules” keep a portion of the cash withdrawn, and send the remainder to the criminal organizers.

The layered nature of payment system intrusions and subsequent card fraud means that even a relatively simple theft of credit and debit-card numbers from a small restaurant in Idaho may have connections to large scale transnational organized crime. Figure 1 illustrates a common layout for a “carding” criminal enterprise.







Street Level
Card User
Street Level
Card User
Street Level
Card User






“Dumps” Site 





POS HackerSQL Injection
POS Hacker

                             Figure 1.      Common trans-national criminal underground “carding” hierarchy


The Albert Gonzalez hacking organization provides a good illustration of the trans-national aspect of the criminal “carding” underground. Gonzalez was a hacker involved with the Shadow Crew organization, and later developed his own criminal enterprise. Unlike most carding operations, in which the “dumps” site administrator serves as a pure separator between stolen card sellers (i.e., the POS or other hackers) and buyers (i.e., the street users or “mules”), Gonzalez established and directed all layers of activities. The Gonzalez carding organization included individuals from several countries, thus illustrating the international aspect of the stolen card underground. Figure 2 shows the basic organizational chart of the Gonzalez hacking organization.



Street Level
Card User
Street Level
Card User
Street Level
Card User




“Dumps” Site Operator – Maksym Yastremskiy
Ringleader –
Albert Gonzalez




Hacker – 
Stephen Watt
Hacker –
Patrick Toey
Hacker –
Alexander Suvorov

                                                         Figure 2.      Hacker –
Jonathan James
Hacker –
Aleksander Kalinin
Hacker – 
Vladimir Drinkman
The Albert Gonzalez Carding Organization

F.            The homeland security connection

The examples in the previous section illustrate that theft of card data from point-of-sale systems is truly an international problem. State and local law enforcement agencies are generally limited in their reach against these international crime rings, mainly due to jurisdictional restrictions, but also due to funding and other resource problems. State and local police departments can and do play a critical role in arresting the end users or “mules” of counterfeit credit, debit, and ATM cards. In fact, the dismantling of the Shadow Crew carding organization began largely when a New York City Police detective arrested Albert Gonzalez in the act of “cashing out,” or using counterfeit ATM cards encoded with stolen data (Verini, 2010).


Furthermore, the significant number of compromised card accounts, coupled with billions of dollars in fraud losses and other expenses, poses a serious threat to the health of the United States economy, and is therefore a homeland security problem. Table 1 shows a list of some of the major card breaches in recent U.S. history Krebs, 2013; FBI, 2009; US v. Gonzalez, 2010; Cratty, 2012; Pepitone, 2014). These breaches alone yielded hackers almost 270 million credit and debit card numbers, with an estimated fraud loss of almost $135 billion.

                                                     Table 1.    Payment Card and Fraud Losses for Major Breaches


Number of Payment Cards Compromised

Estimated Fraud Loss

Target Stores

40 million

$20 billion*

RBS World Pay


$9 million

Hannaford Grocery

4.2 million

$2 million

DSW (online shoe store)

1 million

$500 million*

Dave & Buster’s


$3 million

TJ Maxx/Marshall’s

94 million

$47 billion*

Heartland Payment Systems

130 million

$65 billion*

* Exact fraud loss amounts not available; figures derived from the number of payment cards compromised with an average fraud loss of $500, per the United States Sentencing Commission


Criminals obtain the majority of their stolen card numbers by hacking into point-of-sale systems. In fact, of the three largest card data breaches in U.S. history, two were the result of point-of-sale compromises (US v. Gonzalez, 2008; US v. Gonzalez, 2009; Krebs, 2014, February 12):

                           Table 2.   Three Largest Payment-card Breaches and Primary Method of Compromise


Primary Method of Compromise


TJ Maxx/Marshall’s

Point-of-sale system compromised via cracked WEP keys on 802.11 wireless system

Heartland Payment System


SQL Injection against Website

Target Stores


Point-of-sale system compromised after hackers broke into a trusted third party system and made their way to Target’s point-of-sale system


While criminals do obtain stolen card data through various hacking methods, including SQL injection, the majority of compromised accounts and the majority of individual intrusions involve attacks against retail point-of-sale systems. As point-of-sale systems yield the greatest fraud losses and therefore impact on the U.S. economy, any efforts toward mitigating the homeland security problem of trans-national carding organizations must begin with reducing the frequency and impact of intrusions against point-of-sale systems.

IV.         A survey of criminal investigations of point-of-sale system intrusions

A.           Nature and purpose of research

To gain insight into the mechanics of criminal point-of-sale intrusions, we conducted forty-two criminal investigations of point-of-sale breaches by the United States Secret Service.  We reviewed all point-of-sale cases opened from January 2013 through January 2014.  In general, Secret Service agents begin a point-of-sale investigation following one of two conditions:

·         A bank or other financial institution notifies a Secret Service field office that a retail establishment appears to be a “common point of compromise.”  When fraudulent purchases appear on a legitimate cardholder’s account, financial institute fraud investigators look for common locations where the legitimate cardholder used the payment card.  For example, if Mom’s Bank received complaints of fraudulent purchases from twelve different customers, and all twelve made a purchase at Dad’s Café, then Dad’s Café is the common point of compromise, and the nearest Secret Service office to Dad’s café will dispatch an agent to investigate.  Based on results of our research, this is the most common method.

·         Secret Service agents investigating criminal carding organizations will learn about a specific point-of-sale breach through confidential informants or undercover methods.

For our research, we read investigative and forensic reports related to point-of-sale investigations.  For each case, we sent a survey to the lead investigative agent to gather specific information about the nature of the intrusion.

            We attempted to gather the following information:

·         What was the specific manner of intrusion into the point-of-sale system?

·         What was the duration of the compromise?

·         How many cards were compromised, or what was the fraud loss as a result of the intrusion?

·         Did the attackers use malicious code, and if so, what type of code did they use?

·         How did the victims (i.e. the businesses who used the point-of-sale system) learn of the intrusion?

We collected the data with the following larger questions in mind:

·         Are there recurring types of malicious code used with point-of-sale system intrusions?

·         How prevalent are zero-day malicious code infections?

·         What is the average duration of a point-of-sale compromise?

·         What is the average fraud loss or number of cards compromised?

·         What are the primary attack or infiltration methods? 

·         How do the hackers exfiltrate stolen card data from compromised point-of-sale systems?

B.           Survey methods

We identified forty-two new cases concerning point-of-sale system intrusions for the period of January 2013 through January 2014 by reviewing all network-intrusion investigations by the Secret Service specifically focused on point-of-sale systems.  We sent a survey to the case agent in charge of each of the forty-two point-of-sale system investigations.  Of the forty-two surveys we submitted, we received responses from forty-one.  The survey included seven questions related to the nature of the point-of-sale system compromise, including length of intrusion, method of intrusion, method of card exfiltration, and the method by which the intrusion was discovered. 

C.           results

The table in the appendix summarizes each case.  In some instances, specific data was not provided such as duration of the intrusion or specific malicious code used due to one of the following:

o   The business owner or point-of-sale system vendor may have performed a system clean-up or completely rebuilt the system before law enforcement or third-party forensic vendors had an opportunity to perform forensic analysis.

o   During the investigation the case agent (i.e. the Secret Service agent leading the criminal investigation) presented a summary of the case, including fraud loss, identities of suspects, etc., to a federal prosecutor.  If the federal prosecutor declined to prosecute, the Secret Service ceased any further investigation or forensic analysis.

o   In a small number of cases the business owner may have hired a private forensic firm to conduct a private investigation and implement security improvements.  The third-party analyses do not always address the specific research questions we pursued.

o   Some investigations were in the early phases and complete data was not yet available

The table in the appendix provides a summary of each criminal investigation undertaken by the United States Secret Service of point-of-sale system intrusions from January 2013 through January 2014.  The table reveals some interesting statistical trends:

·         The most common entry point into point-of-sale systems was through poorly secured remote-desktop environments.  Other security risks were having no firewall, having missing or out-of-date anti-virus protection, and using point-of-sale system terminals for personal Internet activities.

·         The most common form of malicious code was Perfect Keylogger for hard-disk-based keystroke loggers, and the “sr.exe” and “searcher.dll” pair for random-access memory-based “scrapers.”  A “memory scraper” or “RAM scraper” is malicious code that monitors specific point-of-sale processes in random-access memory to catch payment-card data when it is temporarily unencrypted as it transits certain processes in memory (Kotov, 2014).

·         In most cases, banks or other financial institutions identified the victim business by recognizing the “common point of compromise.”

·         In some instances victims were identified through other Secret Service investigations.  For example, a Secret Service agent may arrest a suspect in a point-of-sale intrusion case who admits to hacking into other, unreported point-of-sale systems.

·         In no cases did the victims first learn about the intrusions on their own.

·         For cases where the duration of the intrusion is known, its average length was 6.3 months.

·         The total number of stolen cards identified to date is 2,498,956 for forty-two criminal cases.  If we use the U.S. Sentencing Commission standard fraud loss per card of $500.00, then the potential fraud loss for these forty-two investigations alone is $1.2 billion.  The number of compromised cards will likely grow as financial institutions complete their assessments.

This survey revealed that point-of-sale system intrusions were not sophisticated, because they did not need to be.  In most cases, hackers breach the point-of-sale system by scanning for standard port numbers associated with remote desktop environment products or services.  Then the hacker generally tries default passwords or easy-to-guess passwords.

V.          forensic indicators of point of sale system attacks

A.           Point-of-sale system attack characteristics

Point-of-sale system intrusion methods reflect the gamut of the larger world of network intrusions and include a mix of physical attacks, Web-based attacks, and network attacks.  A brief survey of some of the largest point-of-sale system intrusions illustrates this spectrum (Berg, Freeman, and Schneider, 2008; Krebs, 2011; Krebs, 2014, February 06; US v. Gonzalez, 2009):


Table 3:  Intrusion Methods for Major Point-of-sale Intrusions


Initial method of intrusion

TJ Maxx chain

Cracked WEP Wi-Fi password

Michael’s Craft  Stores

Physical tampering of POS terminals

Target Department Store chain

Compromised 3rd party credentials

Hannaford Supermarket chain

SQL Injection


While criminals apply a variety of methods against larger retail corporations, they more often attack smaller retail establishments by focusing on remote-desktop (remote-access) connections. The statistical data collected in Chapter 4 show that out of thirty cases with a known or suspected method of compromise, sixteen involved remote desktop software.  In a white paper for the 2010 Black Hat USA conference, researchers from the security and forensics company Trustwave called exploitation of point-of-sale remote access “the easy way” (Percoco and Ilyas, 2010).  Trustwave’s 2013 Global Security Report identified remote desktop exploitation as the cause of 47% of all network intrusions that company investigated (Trustwave, 2013).

Many small and medium-size retail establishments use simple remote-access software (e.g. PC Anywhere, GoToMyPC, LogMeIn, or Microsoft Remote Desktop) to allow point-of-sale technicians and restaurant managers to remotely access the system at any time.  If a bar or restaurant experiences point-of-sale system troubles during a busy Saturday night, the establishment wants the system fixed immediately, and the point-of-sale technician wants to avoid a possibly long drive to the restaurant.  Thus, there is sound business logic for remote access.  Criminals have learned, however, that many businesses use remote-access products with weak passwords.  Therefore, criminals merely need to run a port-scan tool such as Nmap against potential point-of-sale IP addresses, looking for standard port numbers for remote access products.  For example, Microsoft’s Remote Desktop Protocol runs on TCP port 3389, and PC Anywhere operates on TCP port 5631 or 5632.  Once an attacker has collected a list of potential targets, the attacker can try a list of common login names and passwords.  In some cases, point-of-sale system components were left configured with standard login name and password combinations (e.g user name “aloha,” password “aloha”), which exacerbated the problem (Trustwave, 2014).


Once criminals have entered the point-of-sale network, they usually install malicious code designed to capture payment-card data.  In general, this malicious code is either traditional keylogger software (e.g. Perfect Keylogger) or random-access memory (RAM) scrapers.  Keylogging software monitors input sources such as keyboards and card readers.  Keylogging software such as Perfect Keylogger collects captured card data into a log file.  The criminals may retrieve the log file manually (using the original intrusion method, often a poorly-secured remote-access application) or establish a file transfer protocol (FTP) or simple mail transfer protocol (SMTP) service to exfiltrate data from the compromised system.  Attackers can configure the SMTP or FTP service to periodically export a payment-card log file to an external server or Web mail account.

Malware scrapers are currently the more common method of capturing card track data (Trustwave and USSS, 2012).  When an employee swipes a card, the track data is briefly held in memory before the point-of-sale application encrypts it.  Memory scrapers monitor specific buffers in memory known to be associated with specific point-of-sale processes.  When the malicious code identifies new payment-card data, it is copied to a log file on the hard drive of the infected point-of-sale machine.  Depending on the specific memory scraper tool being used, the scraper may perform additional actions on the collected data, such as parsing and encryption.  Criminals can then retrieve the collected card data manually, repeating the initial intrusion methods (Trustwave, 2014).

B.           A forensic case study

In a typical point-of-sale system implementation, employees swipe cards at one or more point-of-sale terminals. The track data is sent to a buffer in memory, either on the terminals themselves or at the back-of-house server (Trustwave, 2014; Trustwave, 2010).  The point-of-sale system software reads the card data from the memory buffer and encrypts the cardholder data before it is sent to a financial institution for approval.  Memory scrapers target cardholder data inthe brief instant that it is unencrypted in the memory buffer.

To provide insight into potential forensic evidence from a criminal compromise of a point-of-sale system, we examined a back-of-house server from a victim restaurant.  The compromised machine ran Microsoft Windows XP Service Pack 2 and a standard copy of Aloha Manager/EDC point-of-sale software, along with a copy of Symantec’s PCAnywhere to support remote access.  The built-in Windows firewall was disabled, as were Windows Automatic Updates for system security patches.

For this server, we performed the following forensic steps:

1.         We began with a “clean” Universal Serial Bus thumb drive.  The drive was formatted with the NTFS file system to eliminate possible storage problems (e.g. file size and file name length) with the FAT 32 file system.

2.         On the thumb drive we installed a “known good” copy of cmd.exe taken from a different computer with a fresh installation of Microsoft Windows. 

3.         We added a copy of the tool “Dumpit” from Moonsols to collect a copy of the target system’s random access memory (RAM).  As a backup tool, we added a copy of Access Data’s FTK Imager Lite.

4.         On the live (compromised) system, we inserted the thumb drive.  After it mounted, we navigated to the drive letter of the thumb drive and ran the program cmd.exe.

5.         At the Windows Command Line Interface (CLI), we collected volatile and system information via the following commands:

·         F:\ ipconfig /all >>collection.txt

·         F:\ natstat –ano >>collection.txt

·         F:\ whoami >>collection.txt

·         F:\ systeminfo >>collection.txt

·         F:\ net user >>collection.txt

·         F:\net accounts >>collection.txt

·         F:\openfiles >>collection.txt

·         F:\taskist /v >>collection.txt

·         F:\wmic process list full >>collection.txt

·         F:\net start >>collection.txt

·         F:\tasklist /svc >>collection.txt

·         F:\schtasks >>collection.txt

·         F:\wmic startup list full >>collection.txt

·         F:\ wmic useraccount where name=’edc’ get sid

The last command collected the system-identification value for the current logged-on user.  This information is necessary to manually copy the user’s ntuser.dat file.

6.         We ran the tool Dumpit from Moonsols from the command line, which copied the contents of the live system’s random-access memory into a dump file in the .raw format.

7.         We manually copied the Windows Registry hive files with:

·         F:\ reg save HKLM\SAM f:\regsamdump

·         F:\ reg save HKLM\SYSTEM f:\regsystemdump

·         F:\ reg save HKLM\SECURITY f:\regsecuritydump

·         F:\ reg save HKLM\SOFTWARE f:\regsoftwaredump

·         F:\ reg save hku\{user’s SID value} f:\ntuserdump.dat

8.         We manually copied the Windows Event Logs using “copy *.wev f:\.”

9.         We analyzed the gathered information with a variety of forensic tools, including:

·         Bulk Data Extractor :         Used for parsing useful strings (e.g. email addresses, Internet Protocol addresses) out of source, such as our memory dump file

·         Strings :        Used for pulling clear text strings out of a source, including formatted files

·         Redline :        Used for analyzing running processes and looking for indications of malicious code and rootkit infections

·         RegRipper :              Used to parse data from Windows Registry hives, including installed software, mounted hardware, entries in the Windows Prefetch file, and more.

·         Volatility :      Used to extract specific information such as data on running processes from memory-dump files.  Volatility is built on a modular framework, which allows an examiner to choose specific plug-ins. 

·         YARU :          Used for exploring imported Windows Registry hives in the native directory structure

·         Event Log Explorer :         Used for importing Windows Event Logs.  Although the native Windows Event Viewer works well for this task, the Event Log Explorer tool offers more export options and can concatenate multiple Windows event logs into one file.

In the case of the compromised back-of-house server, forensic analysis revealed that criminals installed a three-part memory scraper tool on the server. The loader (controller) file rpcsrv.exe appears on a security alert of point-of-sale malicious code published by Visa, Inc. in 2009 (Visa, 2009), though the other files were not recognized.

The loader functioned as the malicious-code installer.  It added a service for persistence, pointing to itself, and also loaded the other two files, one for parsing card strings in memory, and the other for data aggregation.  After running the Strings tool against this file, the output revealed the two files this controller file was set to begin:

start /min algsvc.exe

start /min rdpsvc.exe


The second component was the actual memory-scraper tool.  Memory scrapers are generally written to monitor specific point-of-sale executable files that process card track data.  In the case of the infected back-of-house server, this machine ran Aloha’s EDC (Electronic Draft Capture) software for processing swiped card data.  The memory scraping tool, algsvc.exe, monitors the legitimate Aloha process (edcsvr.exe) in memory for credit card strings.  An analysis of the memory scraper with the Strings tool shows specific references to edcsvr.exe.

The third component was a data-aggregation tool, rdpsvc.exe.  It monitored data collected from the memory scraper and parsed card data.  This data was then obfuscated and sent to dump files, which the criminals would retrieve manually.

C.           Sample forensic indicators of point-of-sale system intrusions

Non-volatile evidence may be collected via several techniques, including full disk-drive imaging with a write-blocking mechanism and imaging software, or through the collection of specific files or directories.  In some instances an establishment is unable or unwilling to take its point-of-sale system offline for traditional disk imaging in which case non-volatile information can be collected directly from the machine.

Nonvolatile evidence includes persistent malicious code, Windows Registry keys, cache files, and log files.  Malicious code in the form of keyloggers, especially common applications like Perfect Keylogger, will likely generate positive hits with anti-virus products.  Point-of-sale specific malicious code may not be included in standard anti-virus signature lists, but Web resources do provide MD5 checksum values and Windows Registry key values for some malware scrapers (Visa, 2009; Trustwave, 2010; iSight, 2014; Wilson, Loftus, and Bing, 2013; Higgins, 2014).

For example, the security research company iSight published a list of non-volatile forensic indicators for the Kaptoxa point-of-sale malicious code set, which many believe was used in the Target department store intrusion (iSight, 2014; Krebs, January 2014).  This list includes additions and modifications of fifteen Windows Registry keys (e.g. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_POSWDS\0000\Control) and eighteen malicious code files that may be present in a Kaptoxa-infected point-of-sale system including name, extension, size, and four different hash values for each malicious file.

Volatile evidence is obtained by deploying specific data collection tools on the live machine.  Although the use of these tools on a live device will leave evidence that an examiner used such tools (for example, in the Windows Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU) (Carvey, 2011), most live-response collection tools and methods leave a minimal footprint.

Volatile evidence may include running processes (hidden or open), suspicious network ports, volatile Windows Registry key values, temporary files, and memory-only malicious-code activity. An examiner may have prior information that enables them to focus on certain suspicious network ports or running processes. For the case study of the server, we know that the controller file loaded the memory-scraper program (algsvc.exe) and the card data parsing and aggregation program (rdpsvc.exe), both of which ran as normal (i.e. non-hidden) processes.

Network evidence can be useful to learn how stolen data exited the impacted network, as well as its destination.  In some instances, for example zero-day exploits or highly stealthy techniques, network forensics may be the best option for discovering the outbound export of sensitive data.  Indeed, when Google fell victim to an Advanced Persistent Threat (also known as an Operation Aurora attack) intrusion in 2010, Google’s incident-response team relied on Domain Name Service logs to piece together the nature of the attack (Westervelt, 2010).

Network forensic evidence is also useful in an investigation, and can come from log files (Domain Name Service, mail, Web, Dynamic Host Configuration Protocol, etc.) or by capturing network packets in real time.  For the latter, the investigator can use a small network tap, a span port on a network switch, or a packet-capture tool such as Windump or Wireshark, although these generally require installation of new software which may violate the principle of making as few changes to the original evidence as possible.  Capturing network packets in real time can be challenging, as the resulting capture files can grow very quickly.  Nevertheless, running packet capture tools on traffic of a suspected infected machine may be the best option for determining the methods and destinations of outbound compromised data.  As an example, the Arbor SERT revealed the following signatures from the recent Dexter point-of-sale malicious code (Wilson, Loftus, and Bing, 2013):

·         GET /hint/chck.php HTTP/1.1

·         Host: rome0[.]biz

·         Accept: text/html, */*

·         Accept-Encoding: identity

·         User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC!

·         Hxxp://

VI.         recommendations for preventing point-of-sale intrusions

A.           Technical security recommendations

Information gathered from criminal investigations of point-of-sale system intrusions and from trend reports from Trustwave demonstrate that criminals often use predictable patterns of attack behavior along with easily identifiable malicious code.  Poorly secured remote access is perhaps the most common entry method for criminals, and we recommend that retailers pay particularly close attention to improving it.

1.   Secure remote access capabilities

If remote access between point-of-sale vendor technicians and the point-of-sale system is a necessary evil, then the point-of-sale system operators must operate it as securely as possible.  We offer the following recommendations:

A.   Avoid if possible remote-access products and services such as PCAnywhere, GoToMyPC, Microsoft RDP, LogMeIn, etc.  Point-of-sale system operators can install an effective yet inexpensive hardware firewall with virtual private networking capabilities, such as the Cisco ASA 5510, sold by a variety of vendors for under $400.

B.   If commercial remote access products are unavoidable, point-of-sale operators (i.e. the restaurant, hotel, or store) should establish good passwords necessary to access the system.  Do not allow point-of-sale system vendors to establish user names and passwords.  Users should follow best practices for length, expiration, and complexity.  Users can check the strength of a given password from a variety of password checking Web sites, including

C.   If commercial remote-access products are unavoidable, point-of-sale operators should consider enabling the remote access service only when it is needed.  If an off-site employee or point-of-sale technician requires remote access, require that they call in to request its enablement.  Point-of-sale operators should be able to disable the remote-access product when not in use by suspension or shut-off functions within the application, or by stopping the running process at the command line or within Windows Task Manager.

2.   Use an effective anti-virus product

Anti-virus products may not be effective against some types of malicious code that only attacks point-of-sale systems (Trustwave, 2014).  Nevertheless, anti-virus products are still effective in identifying popular keystroke logging tools, such as Perfect Keylogger.  Point-of-sale system users should use an anti-virus product, configure it to receive automatic updates, and run automatic scans.

3.   Use a firewall

In addition to using a hardware firewall to protect the point-of-sale system’s network, operators should use a software firewall on each terminal and the back-of-house server. These add an additional layer of security and another opportunity for log file activity.  Microsoft Windows includes a built-in firewall with the Windows operating system. 

4.   Restrict point-of-sale nodes to specific business use

Point-of-sale system operators should forbid employees from using point-of-sale system terminals and back-of-house servers for other Internet activities such as visiting Web sites, checking e-mail, etc.  All nodes on the point-of-sale system should be restricted to the business functions of processing sales and card information to limit opportunities for malicious access.

5.   Operate point-of-sale system nodes with least privileges

Operations of point-of-sale terminals and back-of-house servers should use minimal privileges, i.e. non-administrative accounts.  Operators should disable any unnecessary accounts (e.g. guest) and ensure all accounts follow information security best practices for password use (length, expiration, complexity, etc.).

6.   Harden the operating system of point-of-sale system nodes

Point-of-sale system operators should strengthen the security of the underlying operating systems of point-of-sale nodes. They should consider security configuration guides from the National Institute of Standards and Technology.  Specific suggestions include enabling automatic updates and disabling unnecessary applications and services.

B.           A point-of-sale-system security awareness campaign

Several organizations have published advisories and security configuration checklists for point-of-sale terminals.  For example, in January 2014 the United States Computer Emergency Readiness Team (US-CERT) published a two-page document, “Malware Targeting Point of Sale Systems” (US-CERT, 2014).  This advisory provides a brief overview of point-of-sale systems, the nature of point-of-sale system compromises, and a brief bulleted list of recommended security steps.  Visa released a slightly more technical report, “Retail Merchants Targeted by Memory-Parsing Malware – Update (Visa, 2014).”  This document provides a more specific two-page list of point-of-sale system security steps, but Visa also includes without explanation a two-page list of point-of-sale system malicious code file names and MD5 hash values.  Although this information is very helpful to investigators, it is doubtful that most small and medium size point-of-sale operators will know what to do with MD5 hash values.

The Department of Homeland Security can help lead a public awareness campaign for the improvement of point-of-sale system security.  This program clearly meets two key objectives of the Department, as specified in the Quadrennial Homeland Security Review Report (DHS, 2010): (1) prevent cyber crime and other malicious uses of cyberspace, and (2) enhance public awareness.

As a precedent, the United States Secret Service, a component of the Department of Homeland Security, has for several years managed a successful international public awareness campaign concerning genuine currency.  This awareness campaign uses a multi-level approach to public education, ranging from colorful flyers and posters for general information to detailed Web sites, seminars, and brochures for banks, retailers, and others who handle large amounts of currency.  A point-of-sale security public awareness campaign could follow a similar layered approach.  The first layer can feature easy-to-follow flyers, posters, and brochures that illustrate basic elements of point-of-sale system security.  These items should use graphics and catchy phrases that will capture the attention of average point-of-sale system users.  Middle layers can provide more specific “checklist” style steps toward improving point-of-sale system security, most likely in document format.  Advanced layers can provide more technical security improvement procedures, including specific steps for different vendors of point-of-sale systems. 


Summary of United States Secret Service point-of-sale system intrusion investigations (RDE = Remote Desktop Environment)



Case #

Possible Intrusion Method

Malware and/or Hacker Tools Used

Victim Notified by:

Fraud Loss or Number of Payment Cards Stolen:  Category

Approx. Duration of Intrusion










Vulnerable RDE

Unspecified keylogger and remote Trojan







Vulnerable RDE

Sr.exe; searcher.dll; run.exe






Unknown but RDE in use




3 months

Victim did partial system repair prior to law enforcement contact


RDE with weak password; no firewall

Sr.exe; searcher.dll; run.exe



3 months



Vulnerable RDE

Sr.exe; searcher.dll



1 month




Sqlmgmt.exe; Rptsvc32.exe; sppt32.exe



2 months



RDE with default passwords

Perfect Keylogger



5+ months



Weak login password

Suidshell malware



5 months

Rare *nix POS system


POS terminals used for personal Internet activities




Perfect Keylogger; wuauclt.exe

Data from another criminal case


8 months





Data from another criminal case


2 months




Unspecified RAM dumper



14 months




Unspecified Trojan (hidden as “scvhost.exe”; note the unusual spelling)

Data from another criminal case


6 months










Anti-virus 2 years out of date; POS terminals used for personal Internet use

Two possible:  “msseces.exe” and “ctfmon.exe”



5 months



No firewall; no anti-virus







Vulnerable RDE

Perfect Keylogger



5 weeks



Vulnerable RDE

Unspecified RAM dumper






Weak passwords

“Wnhelp.exe”; “Mmon.exe” (the latter specifically captures credit card track data); SAMInside password cracker found on system



5 weeks



Blank admin password

“Sr.exe” and “Searcher.dll”



27 months




Survey not returned






Weak passwords

“Sr.exe” and “Searcher.dll”






Possible infection due to use of POS system for personal Internet use




“Downloadermstdc.exe”; possibly 61 pieces of malicious code across multiple franchise locations



3 months



POS vendor’s RDE account was compromised

“Trojan.agent.s.z”; “Aluroot-b”






Evidence that victim was phished

Unspecified malicious code













Victim’s card processing company was penetrated

Evidence of malicious command shell access found during forensic work, but no specific malware or hacking tools found to date



1 month



3 different RDE products found on POS system; owner only knew of one







Vulnerable RDE







Vulnerable RDE

2 Keyloggers:  “hkcmd.exe” and “winupd.exe”; 2 RAM scrapers: “sr.exe”/”searcher.dll” and “mmon.exe”

Private Forensic Company


9 months




Perfect Keylogger



c. 4months



No firewall; vulnerable RDE

2 Keyloggers: “Perfect Keylogger” and “Ardamax”


3,600 cards

20 months



No firewall; vulnerable RDE

Perfect Keylogger

Data from another criminal case








17 months








Perfect Keylogger


Data from another criminal case




8 months




“Ardamax” keylogger and “Infostealer.bancos Trojan

Data from another criminal case


4 months




Zero day or custom Keylogger

Data from another criminal case









Vulnerable RDE

“Ardamax” keylogger

Data from another criminal case


16 months

Criminal intent may be more focused on identity theft than payment card fraud


Vulnerable RDE

Unknown but “Ardamax” keylogger suspected

Data from another criminal case


1 month

Criminal intent may be more focused on identity theft than payment card fraud



Zero day or custom keylogger



4 months




“Alghlp.exe”; “Ntmpsvc.exe”; “Mcservice.exe”



3 months



Business chain; most franchises used RDE

All victim franchises had some combination of “Sr.exe”/”Searcher.dll”; “Rdasrv.exe”; and “Cardrecon_v1.14.17_cracked.exe” on their systems









“Trojan 2-bot” and unspecified keylogger



Unknown but fraud attempts lasted for 2 months

POS vendor did some clean up before law enforcement involvement


Vulnerable RDE

“Sr.exe” and “Searcher.dll”



1 month



Vulnerable RDE

“Zbot” (aka Zeus Trojan); “Alina” virus (RAM scraper)



1-3 months



Note that some entries with “unknown” data are recent cases in which forensic or investigative data may be forthcoming.  In others, a federal prosecutor declined further consideration of the case, causing law enforcement to cease forensic and investigative activities.

 “Vulnerable RDE” means the victim used a default installation of a popular remote desktop environment, usually PC Anywhere, GoToMyPC, LogMeIn, or Microsoft Remote Desktop.  In some cases the victim (business) was not aware of the presence of the remote desktop environment; in many cases the remote desktop environment used weak passwords.


Key for “Fraud Loss or Number of Payment Cards Stolen” column:


A – Fewer than 10,000 payment cards stolen

B – 10,001 – 25,000 payment cards stolen

C – More than 25,000 payment cards stolen

D – Fraud loss less than $50,000

E – Fraud loss between $50,000 and $250,000

F – Fraud loss greater than $250,000



List of References

Acohido, B.  (2009, January 20).  Hackers Breach Heartland Payment Credit Card System.  Retrieved from USA Today website:

Associated Press.  (2014, February 04).  Target Data Breach Pits Banks Against Retailers.  Retrieved from

Berg, G., Freeman, M., & Schneider, K. (2008, August).  Analyzing the TJ Maxx Data Security Fiasco.  The CPA Journal Online. Retrieved from

Beverly, R., Garfinkel, S., Cardwell, G.  (2011). Forensic Carving of Network Packets and Associated Data Structures.  Digital Investigation, Volume 8 pp. S78-S89

Bhattacharjee, Y.  (2011, January 31).  How A Remote Town in Romania Has Become Cybercrime Central.  Retrieved from website:

Bowles, S., Cuthbert, B.,  & Stewart, W. (2005, September 22). Typical Attack Techniques for Compromising Point of Sale PIN Entry Devices.  EWA-Canada.  Retrieved from

Bran, M.  (2013, January 07).  In Romania, A Quiet City Has Become the Global Hub For Hackers and Online Crooks.  Retrieved from website:

Carvey, H. (2012). Windows Forensic Analysis Toolkit, Third Edition.  Waltham, MA:  Elsevier.

Carvey, H. (2011). Windows Registry Forensics:  Advanced Digital Forensic Analysis of the Windows Registry.  Burlington, MA:  Elsevier.

Chappell, L.  (2012).  Wireshark Network Analysis, Second Edition.  San Jose:  Protocol Analysis Institute.

Cratty, C.  (2012, July 18).  Hacker Gets 7 Years in Thefts of More Than 240,000 Credit Card Numbers.  Retrieved from website:

Department of Homeland Security (DHS). (2010).  Quadrennial Homeland Security Review Report.  Washington, DC: Author.  Retrieved from

Department of Justice.  (2013, September 04).  Two Romanian Nationals Sentenced to Prison for Scheme to Steal Payment Card Data. Retrieved from

Department of Justice.  (2012, June 15).  Alleged International Credit Card Trafficker “Badb” Extradited from France to the United States.  Retrieved from

Department of Justice.  (2010, August 11).  Alleged International Credit Card Trafficker Arrested in France on U.S. Charges Related to Sale of Stolen Card Data.  Retrieved from

D’Innocenzio, A.  (2014, January 12).  Neiman Marcus Latest Chain to Disclose Credit Card Theft. Retrieved from Boston Globe website:

Douglas, Danielle.  (2014, February 04).  Retailers to Congress:  There’s No End In Sight For Credit Card Breaches.  Retrieved from Washington Post website:

Fazio, R.  (n.d.)  Statement on Target Data Breach.  Retrieved from website:

Federal Bureau of Investigation.  (2009, November 10).  International Effort Defeats Major Hacking Ring.  Retrieved from

FICO.  (2010, October).  Card Compromises- New Risks and Best Practices. Retrieved from

Finkle, J., & Hosenball, M.  (2014, January 12).  Exclusive:  More Well-Known U.S. Retailers Victims of Cyber Attacks- Sources.  Retrieved from website:

Fraud and Related Activity in Connection With Computers, 18 U.S. Code § 1030 (2008).  Retrieved from

Hans, G.S.  (2014, February 07).  Target and Neiman Marcus Testify On Data Breach- But What Reforms Will Result?  Retrieved from Center for Democracy and Technology website:

Hejazi, S.M., Talhi, C., & Debbabi, M.  Extraction of Forensically Sensitive Information From Windows Physical Memory.   Digital Investigation, 6, S121-S131.

Hizver, J. and Chiueh, T. (2012).  An Introspection-Based Memory Scraper Attack against Virtualized Point of Sale Systems.  Lecture Notes in Computer Science, vol. 7126.  Pp 55-69

iSight Partners.  (2014, January 14).  Kaptoxa Point-of-Sale Compromise.  Retrieved from website:

Katz, K.  (2014, January 22).  To Our Loyal Neiman Marcus Group Customers.  Retrieved from Neiman website:

Krebs, B.  (2014, February 12).  Email Attack on Vendor Set Up Breach at Target.  Retrieved from KrebsOnSecurity website:

Krebs, B.  (2014, February 06).  Target Hackers Broke In Via HVAC Company.  Retrieved from KrebsOnSecurity website:

Krebs, B.  (2014, January 10).  Hackers Steal Card Data From Nieman-Marcus.  Retrieved from KrebsOnSecurity website:

Krebs, B. (2013, December 18).  Sources:  Target Investigating Data Breach.  Retrieved from KrebsOnSecurity website:

Krebs, B.  (2011, May 11).  Breach at Michaels Stores Extends Nationwide. Retrieved from KrebsOnSecurity website:

Lyon, G. (2008) NMAP Network Scanning:  The Official NMAP Project Guide to Network Discovery and Security Scanning.  Sunnyvale, CA:  Insecure.Com LLC.

Odobescu, V.  (2014, January 13).  U.S. Data Thefts Turn Spotlight on Romania.  Retrieved from website:

Pepitone, J.  (2014, January 12).  5 of the Biggest Ever Credit Card Hacks.  Retrieved from website:

Percoco, N., Ilyas, J.  (2010, July 01).  Malware Freakshow 2010.  Retrieved from website:

Percoco, N., Sheppard, C., and Ilyas, J. (n.d.).  Evolution of Malware:  Targeting Credit Card Data in Memory.  Retrieved from Trustwave website:

Percoco, N. et al.  (2013).  Trustwave 2013 Global Security Report.  Retrieved from Trustwave website:

Quick, Becky.  (2014, January 12).  Target CEO Defends 4-Day Wait to Disclose Massive Data Hack.  Retrieved from website:

Raff, Aviv. (2014, January 16).  PoS Malware Targeted Target.  Retrieved from Seculert website:

Selyukh, A.  (2014, February 11).  New Hopes For U.S. Data Breach Law Collide With Old Reality.  Retrieved from website:

Target Corporation. (2013, December 19).  Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores.  Retrieved from

Target Corporation. (2013, December 20).  A Message From CEO Gregg Steinhafel About Target’s Payment Card Issues.  Retrieved from website:

Trustwave.  (2014, March 10).  Combatting Point-of-Sale Malware:  White Paper.  Retrieved from

Trustwave.  (2012).  2012 Payment Card Trends and Risks for Small Merchants.  Retrived from

Trustwave.  (2008).  Forensics Update:  Trustwave’s Investigations of Credit Card Compromises Through October 2008.  Previously available from

United States of Amercia v. Albert Gonzalez.  (2010, March 18).  United States District Court, District of Massachusetts.  Retrieved from website:

United States of America v. Albert Gonzalez, Hacker 1, and Hacker 2.  (2009, August 17).  United States District Court, District of New Jersey. Retrieved from


United States of America v. Adrian-Tiberiu Oprea, Cezar Iulian Butu, Iulian Dolan, and Florin Radu.  (2011, May 04).  Case number Cr. No. 11-cr-64-01/04-SM.  Retrieved from website:

United States of America v. Vladislav Anatolievich Horohorin.  (2009, November 12).  Case 1:09-cr-00305-ESH.  Retrieved from

United States Senate.  (2014, March 26).  A “Kill Chain” Analysis of the 2013 Target Data Breach.”  Retrieved from

United States Sentencing Commission.  (2013).  2013 Guidelines Manual.  Washington, DC: Author. Retrieved from

Unknown author.  (2010, August 12).  A BadB Welcome Cartoon.  Retrieved from YouTube website:

US-CERT.  (2014, January 02).  Malware Targeting Point of Sale Systems.  Retrieved from

Venter, S., Sheppard, C., & and Percoco, N. (2010, June).  POS Memory Parsing Malware Briefing:  Attacks on Kernel Memory.  Retrieved from Trustwave website: http://Trustwave_SpiderLabs_Briefing_POS_Malware_Attacks_on_Kernel_Memory_June_2010-2.pdf

Verini, J.  (2010, November 10).  The Great Cyberheist.  Retrieved from The New York Times website:

Visa Inc.  (2009, November 06).  Visa Data Security Alert:  Targeted Hospitality Sector Vulnerabilities.  Retrieved from

Westervelt, R.  (2010, June 17).  How Google Used DNS Logs to Investigate Aurora Attacks.  Previously retrieved from website:

Wilson, C., Loftus, D. & Bing, M.  (2013, December 03).  Dexter and Project Hook Break the Bank:  Inside Recent Point-of-Sale Malware Campaign Activities.  Retrieved from website:

Zetter, K.  (2010, August 11).  Alleged Carder ‘BadB’ Busted in France—Watch His Cartoon.  Retrieved from website:

Zetter, K.  (2009, December 21).  Albert Gonzalez Enters Guilty Plea in Heartland, Hannaford Cases.  Retrieved from website:




Initial Distribution List

1.         Defense Technical Information Center

            Ft. Belvoir, Virginia


2.         Dudley Knox Library

            Naval Postgraduate School

            Monterey, California