Visa shares details for two attacks on North American hospitality merchants

Visa revealed that two unnamed North American hospitality merchants have been infected with some strains of point-of-sale (POS) malware.

US payments processor Visa revealed that two North American hospitality merchants have been hacked, threat actors infected the systems of the two unnamed organizations with some strains of point-of-sale (POS) malware.

According to a security alert published last week, the attacks took place in May and June 2020, respectively.

“In May and June 2020, respectively, Visa Payment Fraud Disruption (PFD) analyzed malware samples recovered from the independent compromises of two North American merchants.” reads the VISA security alert.”In these incidents, criminals targeted the merchants’ point-of-sale (POS) terminals in an effort to harvest and exfiltrate payment card data. Subsequent to analysis, the first attack was attributed to the malware variant TinyPOS, and the second to a mix of POS malware families including RtPOS, MMon (aka Kaptoxa, BlackPOS), and PwnPOS.”

The US payments processor investigated the security breached and provided technical details about the malware employed in the attacks to allow other companies in the hospitality sector to check for the presence of the same threat actors in their networks.

In the May incident, attackers compromised the network a North American hospitality merchant with the TinyPOS POS malware. The attackers targeted the employees at the merchant with a phishing campaign to obtain credentials for user accounts and were able to take over an administrator account. Then the threat actors used legitimate administrative tools to access the cardholder data environment (CDE).

“Once access to the CDE was established, the actors deployed a memory scraper to harvest track 1 and track 2 payment account data, and later used a batch script to mass deploy the malware across the merchant’s network to target various locations and their respective POS environments. The memory scraper harvested the payment card data and output the data into a log file.” continues the report. “At the time of analysis, no network or exfiltration functions were present within the sample. Therefore, the actors would likely remove the output log file from the network using other means.”

In the second compromise, which took place in June, threat actors employed three different strains of POS malware. Experts found samples of RtPOS, MMon, and PwnPOS on the victim network.

“While less is known about the tactics used by the threat actors in this attack, there is evidence to suggest that the actors employed various remote access tools and credential dumpers to gain initial access, move laterally, and deploy the malware in the POS environment.” continues the report.

The recent attacks demonstrate that the threat actors continue to target merchant POS systems to harvest card present payment account data.

The report includes the indicators of compromise associated with both attacks, it is essential to share the report to prevent other compromises.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PoS malware)

[adrotate banner=”5″]

[adrotate banner=”13″]