For most of the Western World, December is associated with a myriad of holidays, for many hackers, it is open season. Consumers are warned to be careful when shopping online and companies are warned that they will be targets of what to some is a holiday period. When Wawa announced on December 19, 2020, that the retail giant based namely on the East Coast of the US suffered a data breach much of the InfoSec community was prepared for the news, even if they had no idea who would be the next victim.
At the time the company believed the breach was a result of being infected with point of sale POS malware. This specific type of malware is designed to steal credit and debit card details from point of sale devices commonly used in retail shops to process card payments. The threat posed by such malware led Visa to warn fuel stations throughout North America that there pumps and the devices attached are being targeted by cybercriminal organizations. POS malware is unique in how it manages to steal card data when compared to banking trojans. Payment devices encrypt the data of the card before sending it to the required bank network for approval. The encryption occurs in the device's random access memory (RAM), this allows the malware to scrap the hardware for the card details which are later stolen before they are encrypted. The details are then sent to command and control servers under the control of hackers.
Returning the Wawa incident the malware responsible was installed on the network on March 4 but was only discovered on December 10. The malware was subsequently removed two days after the discovery. Further, in the press release the company stated,
“Based on our investigation to date, we understand that at different points in time after March 4, 2019, [the] malware began running on in-store payment processing systems at potentially all Wawa locations…Although the dates may vary and some Wawa locations may not have been affected at all, this malware was present on most store systems by approximately April 22, 2019”
The company also noted that the malware was configured to collect payment data that passed through its in-store Point of Sale systems, such as credit and debit card numbers, expiration dates, and cardholder names. This implies that the malware did not collect debit card PIN numbers, credit card CVV2 numbers, and driver's license information used to verify age-restricted purchases.
The malware was not found on any ATMs found in-store locations. However, even at the time, the breach was expected to register on the massive scale, namely because Wawa operates more than 860 convenience retail stores, of which 600 also double as gas stations with locations across Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and Washington, D.C.
Card Details Published Online
On Monday, January 27, hackers put up over 30 million card individuals' card details on Joker’s Stash a popular card fraud forum. The card details have been advertised under the name BIGBADABOOM-III and are selling the details for 17 USD a card. According to Gemini Advisory, who subsequently published an article on the card dump, the card details can be traced back to the Wawa breach. Given the amount of time the POS malware was present on devices used by Wawa as well as the size of the company, the attack could have racked up those numbers mentioned above.
Joker’s Stash, the market place where the card details have been dumped, has long been one of the largest and most infamous Dark Web market places. The administrator, JokerStash, had been advertising the dump since December 2019 with the last advertisement saying that the dump would be available on January 27, 2020, and as advertised it was. The last advertisement also stated that the card details would come with geolocation data listing the cardholder’s state, city, and ZIP Code along with the details of the card. Upon releasing the card data geolocation data was available to not to the extent as previously advertised. The sheer size of the breach and subsequent card dump has already led researchers to compare it to other massive incidents including thee Home Depot and Target incidents which occurred in 2014 and 2013 respectively.
Gemini Advisory noted that,
“The Wawa breach aligns with Joker’s Stash’s tactic of adding records stolen from large merchants in publicly disclosed major breaches only after the breach is announced. Based on Gemini’s analysis, the initial set of bases linked to “BIGBADABOOM-III” consisted of nearly 100,000 records. While the majority of those records were from US banks and were linked to US-based cardholders, some records also linked to cardholders from Latin America, Europe, and several Asian countries. Non-US-based cardholders likely fell victim to this breach when traveling to the United States and transacting with Wawa gas stations during the period of exposure.”
And further concluded,
“Notably, major breaches of this type often have low demand on the dark web. This may be due to the breached merchant’s public statement or to security researchers’ quick identification of the point of compromise. However, JokerStash uses the media coverage of major breaches such as these to bolster the credibility of their shop and their position as the most notorious vendor of compromised payment cards.”
A day after the card dump was published Wawa released a press statement advises customers to remain vigilant and inform their financial institutions of any fraudulent or suspicious transactions. Further, the company reminded readers of the statement that it will provide free credit monitoring and anti-identity theft protection to those customers who believe they may have been affected by the breach and subsequent publishing of card details online.