[ultramancool]

The term "RAM scraper" seems pretty stupid to me.

These are likely using hooking. They don't scan RAM all the time, instead they patch or inject code into the POS software and then record the data when that code is called.

Think of something like Microsoft Detours. RAM scrapers seems a pretty inaccurate description.

[alexkus]

> How RAM Scrapers Work

> Once on a targeted system, RAM scrapers work by examining the list of processes that are running on the system and inspecting the memory for data that matches the structure of credit card data, such as the account number, expiration date, and other information stored on a card’s magnetic stripe.

No hooking, sounds exactly like they're looking through the memory assigned to each process looking for the right looking data.

[ultramancool]

Okay, so, how do they harvest live data? Scan constantly? That would have a risk of missing something or of slowing down the system.

I suspect that is just an oversimplification, of course, unless they post the malware in question I can't really say for sure.

[tkmcc]

That's exactly what they do. They'll call ReadProcessMemory() on every process and then use a regex + Luhn algorithm to check for credit card data. I'm sure some of the more advanced and targeted ones do use hooking, and some filter the processes to scrape by name, but a lot of malware authors are surprisingly amateur.

further reading: http://www.trendmicro.com/cloud-content/us/pdfs/security-int...

[ultramancool]

Wow, that's sort of surprising to me. Perhaps just due to having some RE background, though maybe it's not stupid or amateur. It may actually be a better strategy if you want to minimize time in the store (no separate trip to steal the POS software first) and effort (no reverse engineering necessary).

[doug11235]

My guess is that 100% robustness wasn't a big concern. Getting 80% of a lot is good enough.