Visa has identified three separate attacks that began last summer targeting gas station and hospitality merchant’s point of sale systems with the cybergang Fin8 being considered the likely perpetrator.The credit
card company’s Payment Fraud Disruption department found that two unnamed “fuel
dispenser merchants” and a North American company in the hospitality field were
infiltrated, injected with malware that was used to either directly or
indirectly steal payment card data.The attacks
took place during the summer of 2019 and went after track 1 and track two-type payment
cards, those using magnetic strips. Cards based using EMV chip, point-to-point
encryption and tokenization were not affected. No details on the number of customers
impacted was given by Visa.The attack
on the first gasoline retailer utilized a phishing attack on a company employee
to gain access and once this was accomplished installed a remote access trojan.
The criminals then scouted out the network and were able to move laterally
through the network to the POS system due to the lack of network segmentation
between the cardholder data environment and the corporate network.Once inside
the POS section a RAM scraper was used to pull out the payment card data.The second
fuel company directly targeted the POS environment by gaining access to the
company network using an unknown method and again a RAM scraper was used. In
this case the malware only targeted mag stripe payment card devices located on
the pumps or inside the facility.The attack
on the hospitality company was particularly interesting as it used a different
type of malware than the gas station incidents. Visa described the malware as a
full-featured shellcode backdoor based on the RM3 variant of Ursnif/Gozi
banking trojan.In each case the analysis of the malware found contain enough clues for Visa to pin the attacks on Fin8. These indicators includes command and control domains known to be used by Fin8 along with the temporary output file wmsetup.tmp which has been found in other Fin8 attacks. This group has been operating since 2016 and often strikes retail, restaurant and hospitality companies.Visa noted that
these attacks are much more sophisticated than the commonly spotted card
skimmers used on gas pumps and ATMs and merchants can best defend against these
attacks by eliminating the use of mag stripe POS systems.Craig Young,
computer security researcher for Tripwire’s vulnerability and exposure research
team, agreed saying the payment card infrastructure in the U.S. has completely
failed to keep up with the rest of the world.“Despite
more secure systems like EMV contact cards and tokenized mobile tap-to-pay
systems having been available for several years, most if not all US issued
credit cards still come equipped with a magnetic stripe which can still be
skimmed. Attackers have also repeatedly demonstrated various attacks which
involve exploiting legacy mag-stripe modes to steal money,” he told SC Media.Warren
Poschman, senior solutions architect at comforte AG, added the POS system is
not the only area merchants need to protect.“The false
sense of security is fostered by a disproportionate focus on anti-skimming,
EMV, and P2PE as “must haves” because they are the obvious minimum
requirements. Instead, organizations should heed the call from Visa to also
invest in data-centric security technologies such as tokenization to protect
the actual data, not just the transaction. Tokenization is a game changer that
offers true security and a chance for merchants to stay ahead of attackers
regardless of if the data is at rest, in motion, or in use,” he said.
Breach, Threat Management, Data Security, Malware, Phishing
Visa warns against new POS attacks, Fin8 fingered as the culprit
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



