Payment processing giant Visa warns that North American fuel pumps are currently being targeted by cybercrime syndicates looking to install Point of Sale (PoS) malware across their networks. PoS malware is typically seen as malware designed to steal credit card information from the point of sale devices commonly used in shops, as well as fuel pumps, to process debit and credit card transactions.
The malware works differently when compared to banking trojans and other malware designed to steal financial information. This is because payments processed through such devices are encrypted so that if the information is intercepted it can’t be read by prying eyes. The decryption of the data only occurs in the PoS device’s random-access memory (RAM), where it is processed. PoS malware specifically targets the RAM to steal the unencrypted information. The process is called RAM scraping and is made possible via built-in backdoors and command and control features abused by hackers.
Visa has published two warnings, one in November and the other in December of this year, detailing at least five incidents investigated by the company’s security team. The security team, Visa’s Payment Fraud Disruption (PFD) team, believes that cybercrime groups appear to have found a weak spot in how gas stations and gas pump operators work. The weak spot comes down to how different machines read the data stored on cards. PoS devices in stores are generally equipped to read data from the chip found in newer cards. Many gas station pumps still operate on older technology where the machine can only read data from the magnetic strip.
In the warning published in December, Visa described three separate incidents. Two of much may have been carried out by Fin8 a financially motivated cybercrime organization infamously known for targeting the hospitality industry amongst other retail targets. The first incident elaborated upon involved the compromise of a North American fuel dispenser merchant. Researchers further noted that,
“The threat actors compromised the merchant via a phishing email sent to an employee. The email contained a malicious link that, when clicked, installed a Remote Access Trojan (RAT) on the merchant network and granted the threat actors network access. The actors then conducted reconnaissance of the corporate network and obtained and utilized credentials to move laterally into the POS environment. There was also a lack of network segmentation between the Cardholder Data Environment (CDE) and corporate network, which enabled lateral movement. Once the POS environment was successfully accessed, a Random Access Memory (RAM) scraper was deployed on the POS system to harvest payment card data.”
The second incident involved threat actors managing to gain access to the targeted fuel dispenser merchant. It is yet unknown how access to the network was achieved but the attackers managed to inject a RAM scraper into the PoS environment. Once injected it was the scraper that would harvest the credit card data of those using compromised devices. The fuel merchant who fell victim accepted both chip transactions in-store and magnetic stripe transactions at the pumps. The malware used only targeted magnetic stripe transactions. Researchers believe this incident to be attributable to Fin8, noting that,
“FIN8 is a financially motivated threat group active since at least 2016 and often targets the POS environments of retail, restaurant, and hospitality merchants to harvest payment account data. Among the IOCs recovered are command and control (C2) domains previously used by FIN8 in threat activity. The malware used in the attack also created a temporary output file, wmsetup.tmp, which was used to house the scraped payment data. This file was previously identified in attacks attributed to FIN8 and FIN8-associated malware.”
The last incident shared with the public involved researchers conducting an analysis of a strain of malware found on the network of a hospitality merchant, also located in North America. After careful analysis, it was determined that the malware used likely formed part of yet another Fin8 operation. The malware, called PunchTrack has previously been attributed to Fin8 and was used in a previous campaign that targeted more than a 100 organizations in North America. Visa researchers further discovered that a newer strain of malware was also used to supplement PunchTrack. The new malware is a full-featured shellcode backdoor that is based on the RM3 variant of the Ursnif banking malware. Researchers fear that the new malware may be used in the future to target fuel merchants and not just those in the hospitality sector.
Visa concluded that while APT groups like Fin8 have expanded operations to target eCommerce stores these recent attacks show that targeting traditional brick and mortar operations is still viable. The company was also quick to warn that the targeting of fuel suppliers is worrying in that advanced threat actors have pinpointed a weakness within their operations that allows for the threat actor to steal credit card data. To that extent, Visa advises fuel merchants to switch to chip technology devices as soon as possible to prevent such abuse. The company also reminded merchants that as of October 2020, the chip liability shift date, responsibility for counterfeit fraud will shift to the fuel dispenser merchants who have not enabled chip acceptance. Visa further reiterated that,
“Fuel dispenser merchants should take note of this activity as the group’s operations are significantly more advanced than fuel dispenser skimming, and these attacks have the potential to compromise a high volume of payment accounts. The deployment of devices that support chip will significantly lower the likelihood of these attacks.”