Recently, Visa has discovered 3 separate attacks targeting gas station and hospitality merchant’s point of sale systems since the summer of 2019. The Payment Fraud Disruption department in Visa found 2 unknown fuel dispenser merchants and a hospitality company in North America were attacked with malware. The malware injected can steal customers’ payment card data directly as well as indirectly. Payment cards with magnetic strips were affected the most in this attack, but not the cards using EMV chip, point-to-point encryption and tokenization. Until now, Visa did not reveal how many customers were impacted by these attacks.
Among these 3 attacks, the attack happened on the first gasoline retailer gained access and implemented a remote access trojan through a phishing attack on a company employee. Because of the missing network segmentation connecting the cardholder data environment and the corporate network, the attackers were able to get into the POS system via network. At this time, a RAM scraper brought all the payment card data to the hackers.
In the other attack targeting the other gasoline retailer, the hackers accessed the company network with an unknown method and directly attack the POS environment with the RAM scraper. The malware here impacted on the payment card devices with magnetic strips only. Besides, these impacted payment card devices are located on the pumps and inside the facility.
There was a different malware applied in the attack on the hospitality company. According to Visa, the attacker was using a full-featured shellcode backdoor based on the RM3 variant, which is of Ursnif/Gozi banking trojan.
Visa pin the attacks on Fin8 according to the malware analysis and found that there is a temporary output file wmsetup.tmp along with the command and control domains known to be used by Fin8. In addition, this output file also existed in other Fin8 attacks. Visa suggested eliminating the use of magnetic strip POS systems is the best measure to take in order to defend against these attacks.
Are You Concerned About Ransomware or Malware?
There are preventive measures your organization can take to defend against an cyber attack.
LIFARS offering Free 30-minute consultation on cyber resiliency.
Email:firstname.lastname@example.org | Call us at:(212) 222-7061