According to a security alert published by VISA, the
Visa Payment Fraud Disruption (PFD) reported that at least three attacks took place this summer, crooks aimed at infecting the PoS systems with malware to scrape payment card data.
In November VISA published another security alert, titled “ATTACKS TARGETING POINT-OF-SALE AT FUEL DISPENSER MERCHANTS,” that warns of threat actors that were able to obtain payment card data due to the lack of secure
According to the new alert issued by the PFD, in the first incident crooks compromised compromise a North American fuel dispenser merchant using a phishing email to deliver a Remote Access Trojan (RAT) to the target network. Then the RAT was used to siphon utilized credentials and move laterally to infect a
“The threat actors compromised the merchant via a phishing email sent to an employee. The email contained a malicious link that, when clicked, installed a Remote Access Trojan (RAT) on the merchant network and granted the threat actors network access.” reads the alert. “The actors then conducted reconnaissance of the corporate network, and obtained and utilized credentials to move laterally into the POS environment.”
This attack scenario was possible due to the lack of network segmentation between the Cardholder Data Environment (CDE) and the corporate network that allows attackers’ lateral movement.
Crooks infected the POS system with a RAM scraper that appears to have mainly targeted the mag stripe/track data.
In the second and third attacks, forensic analysis of the targeted networks revealed indicators of compromise (IOCs) that can likely be attributed to the FIN8 cybercrime group.
FIN8 is a financially motivated group that has been active since at least 2016 and often targets the POS environments of the retail, restaurant, and hospitality merchants to harvest payment account data.
“The malware used in the [second] attack also created a temporary output file,
In the third attack against a North American hospitality merchant, VISA PFD experts discovered malware samples that were previously associated with FIN8 campaigns.
“The attack used a FIN8-attributed malware, but used new malware not previously seen employed by the group in the wild. The new malware is a backdoor that is based on the RM3 variant of the Ursnif (aka Gozi/Gozi-ISFB) modular malware. While the malware used in this attack was not identified in the attacks against the fuel merchants, it is possible FIN8 will use this malware in future operations targeting fuel dispenser.”
Based on the recent attacks that compromised POS systems at fuel dispenser merchants detected by PFD, threat groups have them on the short list of attractive targets.
“Additionally, the recent compromises of fuel dispenser merchants represents a concerning trend whereby sophisticated threat groups have identified fuel dispenser merchants as an attractive target for obtaining track data.” continues the alert.
“It is important to note that this attack vector differs significantly from skimming at fuel pumps, as the targeting of POS systems requires the threat actors to access the merchant’s internal network, and takes more technical prowess than skimming attacks,”
Experts urge fuel dispenser merchants to adopt necessary countermeasures to neutralize these attacks.
Visa recommends merchants and acquirers to adopt the following measures:
(SecurityAffairs – PoS, cybercrime)