Visa: Gas Station Networks Targeted to Steal Card DataNetwork Attacks an Alternative to Use of Skimmers on Pumps, Alert Notes
Several sophisticated cybercriminals gangs are targeting “fuel dispenser merchants” throughout North America, in some cases by planting malware within corporate networks to steal payment card data, Visa warns in a new alert.
See Also: Determining the Total Cost of Fraud
Unlike older credit and payment card scams, where physical skimmers are hidden inside gas pumps, Visa' security analysts discovered two incidents where the attackers planted malware within merchants’ corporate networks, according to the report. In a third incident, a company in the hospitality industry was targeted in a similar way.
Once they got inside the IT infrastructure of the merchants’ networks, the attackers moved laterally through the networks and targeted internet-connected point-of-sale machines at gas pumps to scrape unencrypted credit and debit card data, the alert notes.
"It is important to note that this attack vector differs significantly from skimming at fuel pumps, as the targeting of [point-of-sale] systems requires the threat actors to access the merchant’s internal network, and takes more technical prowess than skimming attacks," Visa says in its alert.
In November, Visa issued a similar alert about a growing number of attacks targeting fuel dispenser merchants by compromising networks instead of individual fuel pumps.
"The recent compromises of fuel dispenser merchants represents a concerning trend whereby sophisticated threat groups have identified fuel dispenser merchants as an attractive target for obtaining track data," according to Visa.
Lack of Security
Visa analysts noted in the December alert that several fuel dispensing merchants, as well as the hospitality company, which were targeted recently with various forms of attacks lacked basic security technologies to help protect card data, such as end-to-end encryption or tokenization, and some victims did not appear to be in compliance with PCI Data Security Standard regulations.
Any business that accepts, stores, processes and transmits payment card data is supposed to comply with PCI standards. But the recent Verizon 2019 Payment Security Report survey of more than 300 organizations found that only 37 percent continually maintain their PCI DSS compliance (see: Verizon: Companies Failing to Maintain PCI DSS Compliance).
The Visa report notes that while many gas stations still rely on magnetic stripe card readers rather than chip card readers, which increases risks.
Dr. Richard Gold, the head of security engineering at security firm Digital Shadows, notes that point-of-sale machines and the type of data that they can remain rich targets for attackers, especially when company's don't follow standard practices such as segmenting networks to keep data separate.
"Segmenting networks is a strong security control as not only does it force the attacker to do more work to overcome this obstacle, it also creates detection points where defenders can monitor for attacker activity," Gold tells Information Security Media Group. "In general, it appears as if the attackers are persistently targeting sectors which hold payment card data and that do not have the necessary security controls in place to protect that data."
In their latest alert, Visa analysts described three incidents that started over the summer, but did not identify the companies involved nor how much data was stolen.
In this first incident, the Visa analysts found that a unknown cybercriminal group targeted a fuel dispensing merchant by sending phishing emails to corporate employees that contained malicious links. When clicked, the link installed a remote access Trojan on an infected device, which then allowed the hackers to move laterally through the network and target connected point-of-sale machines.
This targeted company lacked network segmentation between the cardholder data environment and the corporate network, which enabled the attackers to easily map the whole network, according to the alert.
"Once the [point-of-sale] environment was successfully accessed, a random access memory scraper was deployed on the POS system to harvest payment card data," the Visa alert notes.
In the second incident, Visa analysts found that attackers also targeted a fuel dispensing merchant, although it's not clear if this particular breach started with a phishing email. The cybercriminals also installed a RAM scraper to harvest unencrypted credit and other payment card details.
"The targeted merchant accepted both chip transactions at the in-store terminals and magnetic stripe transactions at fuel pumps, and the malware injected into the POS environment appears to have targeted the mag stripe/track data specifically," according to Visa. "Therefore, the payment cards used at the non-chip fuel pumps were at risk in the [point-of-sale] environment."
In the third incident, which involved a hospitality firm, the Visa analysts discovered malware in the network that was used to scrape data from credit cards.
In the second fuel dispensing merchant attack and the hospitality industry attack, a hacking group known as FIN8 may have played a role, Visa analysts say. This threat group has become active again following a two-year hiatus (see: FIN8 Group Returns, Targeting POS Devices With New Tools).
In previous incidents attributed to FIN8, security analysts note that the hacking organization targeted the point-of-sale devices used by companies in the hospitality and retail industries.
Some of the malware, as well as the command-and-control server, in the second fuel dispensing merchant attack had previously been attributed to FIN8, Visa reports.
"The malware used in the attack also created a temporary output file, wmsetup.tmp, which was used to house the scraped payment data," according to the report. "This file was previously identified in attacks attributed to FIN8 and FIN8-associated malware."
In the hospitality sector attack, the Visa analysts also attributed some of the malware used to FIN8. In addition, the investigators found a never-before-seen shellcode backdoor that is based on the Ursnif banking Trojan.
The Visa report warns that it's likely that this backdoor will be used again to target point-of-sale devices.