Visa Warns of Targeted PoS Attacks on Gas Station Merchants (Dec 13, 2019)
Visa's payment fraud division have identified at least three separate attacks targeting Point of Sale (PoS) systems of two gas station merchants and a hospitality chain since August 2019. Telemetry from two of the incidents suggest that the attacks were carried out by FIN8, a cyber crime group previously associated with numerous PoS system attacks. This week, Visa described the actors behind the PoS attacks as “sophisticated cybercrime groups looking to harvest payment card data,” using phishing emails with malicious links to download a Remote Access Trojan (RAT) to access a merchant’s internal network. In one of the attacks, a RAT was used to conduct reconnaissance and move laterally into the PoS environment, after which the actor deployed a RAM memory scraper to harvest payment card data. According to Visa, credit card theft targeting gas station chains are increasing because “many have yet to implement the EMV smartcard standard for payment transactions,” which once implemented should provide significantly better protection against card data theft.
Recommendation: Customer-facing companies that store credit card data must actively defend against PoS threats and stay on top of industry compliance requirements and regulations. recommended the use of point-to-point encryption, tokenization and other measures for protecting card data. Some of these measures are mandatory requirements under the Payment Card Industry Data Security Standard (PCI DSS).
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.