Pierluigi Paganini December 13, 2019

VISA is warning of ongoing targeted cyber attacks conducted by crooks on point-of-sale (POS) systems of North American fuel dispenser merchants.

According to a security alert published by VISA, the PoS systems of North American fuel dispenser merchants are under attack.

Visa Payment Fraud Disruption (PFD) reported that at least three attacks took place this summer, crooks aimed at infecting the PoS systems with malware to scrape payment card data.

In November VISA published another security alert, titled “ATTACKS TARGETING POINT-OF-SALE AT FUEL DISPENSER MERCHANTS,” that warns of threat actors that were able to obtain payment card data due to the lack of secure acceptance technology, (e.g. EMV Chip, Pointto-Point Encryption, Tokenization, etc.) and non-compliance with PCI DSS.

According to the new alert issued by the PFD, in the first incident crooks compromised compromise a North American fuel dispenser merchant using a phishing email to deliver a Remote Access Trojan (RAT) to the target network. Then the RAT was used to siphon utilized credentials and move laterally to infect a PoS system on the same network.

“The threat actors compromised the merchant via a phishing email sent to an employee. The email contained a malicious link that, when clicked, installed a Remote Access Trojan (RAT) on the merchant network and granted the threat actors network access.” reads the alert. “The actors then conducted reconnaissance of the corporate network, and obtained and utilized credentials to move laterally into the POS environment.”

This attack scenario was possible due to the lack of network segmentation between the Cardholder Data Environment (CDE) and the corporate network that allows attackers’ lateral movement.

Crooks infected the POS system with a RAM scraper that appears to have mainly targeted the mag stripe/track data.

In the second and third attacks, forensic analysis of the targeted networks revealed indicators of compromise (IOCs) that can likely be attributed to the FIN8 cybercrime group.

FIN8 is a financially motivated group that has been active since at least 2016 and often targets the POS environments of the retail, restaurant, and hospitality merchants to harvest payment account data.

“The malware used in the [second] attack also created a temporary output file, wmsetup.tmp, which was used to house the scraped payment data. This file was previously identified in attacks attributed to FIN8 and FIN8-associated malware.” continues the security alert.

In the third attack against a North American hospitality merchant, VISA PFD experts discovered malware samples that were previously associated with FIN8 campaigns.

“The attack used a FIN8-attributed malware, but used new malware not previously seen employed by the group in the wild. The new malware is a backdoor that is based on the RM3 variant of the Ursnif (aka Gozi/Gozi-ISFB) modular malware. While the malware used in this attack was not identified in the attacks against the fuel merchants, it is possible FIN8 will use this malware in future operations targeting fuel dispenser.”

Based on the recent attacks that compromised POS systems at fuel dispenser merchants detected by PFD, threat groups have them on the short list of attractive targets.

“Additionally, the recent compromises of fuel dispenser merchants represents a concerning trend whereby sophisticated threat groups have identified fuel dispenser merchants as an attractive target for obtaining track data.” continues the alert.

“It is important to note that this attack vector differs significantly from skimming at fuel pumps, as the targeting of POS systems requires the threat actors to access the merchant’s internal network, and takes more technical prowess than skimming attacks,”

Experts urge fuel dispenser merchants to adopt necessary countermeasures to neutralize these attacks.

Visa recommends merchants and acquirers to adopt the following measures:

• Employ the IOCs contained in this report to detect, , and prevent attacks using the POS malware variant.
• Secure remote access with strong passwords, ensure only the necessary individuals have permission for remote access, disable remote access when not in use, and use two-factor authentication for remote sessions.
• Enable EMV technologies for secure in-person payments (chip, contactless, mobile and QRcode).
• Provide each Admin user with their own user credentials. User accounts should also only be provided with the permissions vital to job responsibilities.
• Turn on heuristics (behavioral analysis) on anti-malware to search for suspicious behavior, and update anti-malware applications.
• Monitor network traffic for suspicious connections, and log system and network events.
• Implement Network Segmentation, where possible, to prevent the spread of malicious software and limit an attacker’s foothold.
• Maintain a patch management program and update all software and hardware firmware to most current release to limit the attack surface for zero-day vulnerabilities.
• In the event of a confirmed or suspected breach, refer to Visa’s What to do if Compromised (WTDIC),  published in October 2019.

Pierluigi Paganini

(SecurityAffairs – PoS, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]