author photo
By Bruce Sussman
Mon | Dec 16, 2019 | 11:47 AM PST

Visa is warning gas stations and the operators of fuel pump networks, along with those in the hospitality industry, about a new and sophisticated round of cyberattacks involving malware: 

"The activity detailed in this alert highlights continued targeting of POS systems, as well as targeted interest in compromising fuel dispenser merchants to obtain track data."

Track data is financial information from your payment card when you slide it into the pump so you can get gas.

This latest wave of cyberattacks on point-of-sale (POS) systems at gas stations goes well beyond the amateur card skimming attacks we've heard about in years past.

And a sophisticated attack technique also occurred against a merchant in the hospitality industry.

Gas pump network POS attack: incident #1

"In the first incident, PFD [Payment Fraud Disruption] analyzed the compromise of a North American fuel dispenser merchant. The threat actors compromised the merchant via a phishing email sent to an employee. The email contained a malicious link that, when clicked, installed a Remote Access Trojan (RAT) on the merchant network and granted the threat actors network access.

The actors then conducted reconnaissance of the corporate network, and obtained and utilized credentials to move laterally into the POS environment. There was also a lack of network segmentation between the Cardholder Data Environment (CDE) and corporate network, which enabled lateral movement.

Once the POS environment was successfully accessed, a Random Access Memory (RAM) scraper was deployed on the POS system to harvest payment card data."

This first scenario is another strong argument for network segmentation, which we hear about all the time at SecureWorld cybersecurity conferences. It could have limited the hackers' movements.

Gas pump network POS attack: incident #2

The second incident highlighted in this Visa Security Alert also identified a different compromise of another North American fuel dispenser merchant. 

"The actors again obtained network access to the targeted merchant, although it is unclear how the actors gained this initial access, and moved laterally within the network to the POS environment. A RAM scraper was injected into the POS environment and was used to harvest payment card data.

The targeted merchant accepted both chip transactions at the in-store terminals and magnetic stripe transactions at fuel pumps, and the malware injected into the POS environment appears to have targeted the mag stripe/track data specifically. Therefore, the payment cards used at the non-chip fuel pumps were at risk in the POS environment."

Who is behind cyberattacks on gas pump networks?

Attributing who is doing the hacking is always tricky and rarely 100% certain. However, Visa's Security Alert says sophisticated hacking group FIN8 is likely behind these attacks, and it found evidence of this in the second case:

"Forensic analysis of the targeted network identified numerous indicators of compromise (IOCs) that can likely be attributed to the cybercrime group known as FIN8. FIN8 is a financially motivated threat group active since at least 2016 and often targets the POS environments of retail, restaurant, and hospitality merchants to harvest payment account data. Among the IOCs recovered are command and control (C2) domains previously used by FIN8 in threat activity. The malware used in the attack also created a temporary output file, wmsetup.tmp, which was used to house the scraped payment data. This file was previously identified in attacks attributed to FIN8 and FIN8-associated malware."

Hospitality industry cyberattack: attributed to hacking group

The Visa alert also says a hospitality industry point-of-sale system got hit by FIN8 earlier in 2019, and that attack strategy may target fuel payment networks in the future:

"The analysis determined that the compromise was likely the result
of an operation conducted by the cybercrime group FIN8. The attack used a FIN8-attributed malware, but also used new malware not previously seen employed by the group in the wild.

The new malware is a full-featured shellcode backdoor that is based on the RM3 variant of the Ursnif (aka Gozi/Gozi-ISFB) modular banking malware.

While the malware used in this attack was not identified in the attacks against the fuel dispenser merchants, it is possible FIN8 will use this malware in future operations targeting fuel dispenser merchants."

There are more details, Indicators of Compromise (IOC), and mitigation steps in the complete security alert.

Downloadable PDF: Visa Gas Pump POS Security Alert

Comments