Gas Card POS Malware Plays Grinch Over Holiday Season

Visa has issued consecutive monthly security alerts regarding fuel dispenser merchant POS systems. In November Visa stated :

In August and September 2019, Visa Payment Fraud Disruption (PFD) investigated two separate breaches at North American fuel dispenser merchants. The attacks involved the use of point-of-sale (POS) malware to harvest payment card data from fuel dispenser merchant POS systems. It is important to note that this attack vector differs significantly from skimming at fuel pumps, as the targeting of POS systems requires the threat actors to access the merchant’s internal network.

In December, Visa followed up with a second security alert that stated:

These merchants are an increasingly attractive target for cybercrime groups. Track 1 and track 2 payment card data was at risk in the merchant’s POS environments due to the lack of secure acceptance technology,(e.g. EMV® Chip, Point-to-Point Encryption, Tokenization, etc.) and non-compliance with PCI DSS.

This is Not Skimming

While most POS compromises in years gone by have involved the use of skimmers, these latest threats are taking place at the network level.

Threat #1: In the first incident identified by Visa’s Payment Fraud Disruption (PFD) group the attackers gained access to the merchant network through the old tried and true phishing email. A malicious link in that email installed a Remote Access Trojan that provided network access. Once in, they moved through the network and accessed the POS Environment ultimately installing a RAM scraper to harvest payment card data

Threat#2: In the second incident, it is unclear how the attackers gained network access but once in they followed a route similar to Threat #1, installed a RAM scraper and harvested payment card data. Forensic analysis of the compromise points to the cybercrime group FIN8 as being the most likely culprit.

Threat#3: The third attack has also been attributed to FIN8 and used a previously seen malware of their creation combined with a new, previously unseen shellcode backdoor malware.

More Technically Advanced

Visa’s PFD group’s analysis concludes that a more sophisticated level of cybercriminals has set its sights on fuel dispenser merchants. Apparently these criminals, while late in the fuel pump game, are happy to exploit this opportunity while it lasts. Come October 2020 all fuel dispenser merchants will be required to have chip compatible card readers installed on their pumps and this will ostensibly eliminate the threat of RAM scraping because the data will be encrypted.

Konsultek Knows Security

At Konsultek we create customized security solutions that utilize the most advanced prevention, detection and response technologies available. This holistic approach to security can help your organization stay ahead of cybercriminals and hackers who manage to penetrate your system defenses through social engineering means such as the phishing emails that compromised the fuel merchant described in Threat#1. Want to learn more? Give us a call and let’s discuss your specific situation and how we might be of service.

© Copyright 2018 Konsultek