Visa has identified three separate attacks that began last summer targeting gas station and hospitality merchant’s point of sale systems with the cybergang Fin8 being considered the likely perpetrator.
The credit card company’s Payment Fraud Disruption department found that two unnamed “fuel dispenser merchants” and a North American company in the hospitality field were infiltrated, injected with malware that was used to either directly or indirectly steal payment card data.
The attacks took place during the summer of 2019 and went after track 1 and track two-type payment cards, those using magnetic strips. Cards based using EMV chip, point-to-point encryption and tokenization were not affected. No details on the number of customers impacted was given by Visa.
The attack on the first gasoline retailer utilized a phishing attack on a company employee to gain access and once this was accomplished installed a remote access trojan. The criminals then scouted out the network and were able to move laterally through the network to the POS system due to the lack of network segmentation between the cardholder data environment and the corporate network.
Once inside the POS section a RAM scraper was used to pull out the payment card data.
The second fuel company directly targeted the POS environment by gaining access to the company network using an unknown method and again a RAM scraper was used. In this case the malware only targeted mag stripe payment card devices located on the pumps or inside the facility.
The attack on the hospitality company was particularly interesting as it used a different type of malware than the gas station incidents. Visa described the malware as a full-featured shellcode backdoor based on the RM3 variant of Ursnif/Gozi banking trojan.
In each case the analysis of the malware found contain enough clues for Visa to pin the attacks on Fin8. These indicators includes command and control domains known to be used by Fin8 along with the temporary output file wmsetup.tmp which has been found in other Fin8 attacks. This group has been operating since 2016 and often strikes retail, restaurant and hospitality companies.
Visa noted that these attacks are much more sophisticated than the commonly spotted card skimmers used on gas pumps and ATMs and merchants can best defend against these attacks by eliminating the use of mag stripe POS systems.
Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team, agreed saying the payment card infrastructure in the U.S. has completely failed to keep up with the rest of the world.
“Despite more secure systems like EMV contact cards and tokenized mobile tap-to-pay systems having been available for several years, most if not all US issued credit cards still come equipped with a magnetic stripe which can still be skimmed. Attackers have also repeatedly demonstrated various attacks which involve exploiting legacy mag-stripe modes to steal money,” he told SC Media.
Warren Poschman, senior solutions architect at comforte AG, added the POS system is not the only area merchants need to protect.
“The false sense of security is fostered by a disproportionate focus on anti-skimming, EMV, and P2PE as “must haves” because they are the obvious minimum requirements. Instead, organizations should heed the call from Visa to also invest in data-centric security technologies such as tokenization to protect the actual data, not just the transaction. Tokenization is a game changer that offers true security and a chance for merchants to stay ahead of attackers regardless of if the data is at rest, in motion, or in use,” he said.