POS network pivot → RAM-scraper → card data exfil
The Target 2013 / Home Depot 2014 chain: vendor foothold → flat payment-switch VLAN → drop a memory-scraping malware on POS terminals → exfil track data through a payment-switch host.
§ Context
Assumed environment: target retail / hospitality network is flat between the payment-switch and the POS terminals. POS terminals are Windows-based with no application-allowlisting.
§ Steps
- 01Exfil to attacker drop serverExfiltrationT1041— Exfiltration Over C2 Channel
- 02Compromise vendor / contractor with network accessInitial AccessT1078— Valid Accounts
- 03Connect via vendor VPN / portalInitial AccessT1133— External Remote Services
- 04Stage on payment-switch hostCollectionT1074— Data Staged
- 05Scrape track-2 data from RAMCollectionPOS-RAM-SCRAPE— POS RAM Scraping
- 06Deploy RAM-scraper malware on POSCollectionPOS-RAM-SCRAPE— POS RAM Scraping
- 07Pivot to payment-switch VLANLateral MovementPOS-PAYMENT-SWITCH— Payment-Switch Network Pivot
§ References
- T1041Exfiltration Over C2 Channel
- T1078Valid Accounts
- T1133External Remote Services
- T1074Data Staged
§ Frequently asked
- What is the "POS network pivot → RAM-scraper → card data exfil" attack path?
- The Target 2013 / Home Depot 2014 chain: vendor foothold → flat payment-switch VLAN → drop a memory-scraping malware on POS terminals → exfil track data through a payment-switch host. It chains 7 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Exfil to attacker drop server (T1041) — a exfiltration primitive. Assumed environment: target retail / hospitality network is flat between the payment-switch and the POS terminals.
- What is the final impact of this kill-chain?
- The final step lands on Pivot to payment-switch VLAN (POS-PAYMENT-SWITCH), which falls under Lateral Movement. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques2
Apple Pay Express Transit relay → high-value contactless fraud
Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.
- Shared techniques2
Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)
Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.
- Shared techniques2
Vesting beneficiary replace → silently drain stream
Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.
- Shared techniques2
Insider admin panel coercion → mass account takeover (Twitter 2020)
Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.
- Shared techniques2
ERC-4626 first-depositor inflation → drain new deposits
Be the first depositor with 1 wei → mint 1 share. Send tokens directly to the vault to inflate share price. Every subsequent depositor's amount, integer-divided by the inflated rate, rounds to zero shares.
- Shared techniques2
MEV bot honeypot → drain searcher
Plant a transaction that looks like easy arbitrage in the public mempool. The MEV searcher bot front-runs into a trap contract whose 'profit' function reverts and seizes the searcher's gas + funds.