Visa, the multinational payments processor and financial services provider, has shared details of POS malware infections affecting two unnamed North American hospitality merchants. In the attacks that took place in May and June 2020, respectively, the cybercriminals have targeted the merchants’ point-of-sale (POS) terminals in an effort to harvest and exfiltrate payment card data.
According to the report, the first attack was attributed by the Visa Payment Fraud Disruption team to a malware family known as TinyPOS, while the second incident involved the mix of malware, namely RtPOS, MMon (aka Kaptoxa), and PwnPOS.
In the first case, the hackers obtained access to the merchant’s network via a phishing campaign that targeted company’s employees. The intruders compromised legitimate user accounts, including an administrator account, and used that access to sneak into the cardholder data environment (CDE) within the merchant’s network.
“Once access to the CDE was established, the actors deployed a memory scraper to harvest track 1 and track 2 payment account data, and later used a batch script to mass deploy the malware across the merchant’s network to target various locations and their respective POS environments. The memory scraper harvested the payment card data and output the data into a log file. At the time of analysis, no network or exfiltration functions were present within the sample. Therefore, the actors would likely remove the output log file from the network using other means,” the report said.
In the second attack the threat actors used several POS malware variants, including RtPOS, MMon (aka Kaptoxa), and PwnPOS. Like the above mentioned attack, the POS malware targeted track 1 and track 2 payment account data.
The experts believe that the attackers used various remote access tools and credential dumpers to hack into the company’s network, move laterally, and install malware. The report did not say what hacking tools were deployed in this campaign.