Visa has warned of targeted cyber attacks aimed at Point-of-Sale (PoS) systems of North American fuel dispenser merchants. According to an alert posted last week, the credit card company’s Payment Fraud Disruption (PFD) department has identified three separate campaigns that began last summer targeting gas station and hospitality merchant’s Point-of-Sale systems.
The researchers said that the culprit behind these attacks is likely the cybercrime group known as FIN8, a financially motivated threat actor famous for its attacks on PoS environments of retail, restaurant, and hospitality merchants. The attacks took place during the summer of 2019 and went after track 1 and track two-type payment cards. In the first incident the criminals compromised a North American fuel dispenser merchant using a phishing email to deliver a Remote Access Trojan (RAT) to the corporate network. After gaining access to the target network, the threat actor harvested credentials to move laterally into the PoS environment.
“There was also a lack of network segmentation between the Cardholder Data Environment (CDE) and corporate network, which enabled lateral movement. Once the POS environment was successfully accessed, a Random Access Memory (RAM) scraper was deployed on the POS system to harvest payment card data,” the researchers noted.
In the second attack the crooks directly targeted another fuel company by compromising its network using an unknown method. As in the previous case, a RAM scraper was injected into the PoS environment and was used to harvest payment card data.
In the third incident the corporate network of a North American hospitality Merchant was compromised using the malware that the researchers attributed to FIN8, as well as a new shellcode backdoor not previously seen employed by the group in the wild. According to the researchers, this new backdoor is based on the RM3 variant of the Ursnif (aka Gozi/Gozi-ISFB) modular banking malware.
In each case the analysis of the malware found numerous indicators of compromise (IoCs) pointing to the FIN8 hackers. These include command and control domains known to be used by FIN8 along with the temporary output file wmsetup.tmp which has been found in other group’s attacks.
“It is important to note that this attack vector differs significantly from skimming at fuel pumps, as the targeting of POS systems requires the threat actors to access the merchant’s internal network, and takes more technical prowess than skimming attacks. Fuel dispenser merchants should take note of this activity and deploy devices that support chip wherever possible, as this will significantly lower the likelihood of these attacks,” the credit card company concludes.