Credit card skimming attacks are nothing new for cybercriminals. For years ATMs and fuel pump stations have been subject to constant threat of identity theft via illegally obtaining credit card data. For this reason, the general public has been asked to practice vigilance when paying at the pump or withdrawing funds. Nevertheless, skimming is not the only threat these systems face, as cybercriminals continue to find new ways to steal data as is evidenced in a new report on fuel pump data theft.
In a report just released to the public, Visa has warned its customer base about an aggressive fuel pump data theft campaign specifically targeting the point-of-sale (PoS) systems at fuel pumps. The attacks, according to Visa’s Payment Fraud Division (PFD), started back in the summer of 2019.
The first incident, according to Visa, was carried out by sending a phishing email to a gas station employee that, when opened, allowed a remote access trojan (RAT) to gain access to the merchant’s network. The RAT was then able to leverage the network access, due to “lack of network segmentation,” to access the POS systems at the specific fuel dispenser merchant. Once this occurred, a RAM scraper was injected into the PoS system and took on the task of stealing stored data. In the case of the second incident, it is unknown how the threat actors gained access to the network, but they were able to access the PoS system via a similar RAT. Again, like the first incident, a RAM scraper was installed in the POS environment and data was subsequently stolen.
The final incident studied was a turning point in the Visa Payment Fraud Division’s investigation. Up until this point, Visa had suspected that FIN8, a cybercrime group active since 2016, was behind the attacks. And indeed, during the third attack, FIN8 was proven to be the perpetrators. Not only were multiple command-and-control (C2) servers affiliated with the group uncovered by Visa as in previous attacks, but the attack also used two different kinds of malware. The first was a malware already associated with FIN8 and the second was an unknown malware that had all the characteristics of FIN8’s programming. The new malware “is a full-featured shellcode backdoor that is based on the RM3 variant of the Ursnif (aka Gozi/Gozi-ISFB) modular banking malware.”
This malware is highly suspected to be deployed again in subsequent attacks against fuel pump PoS systems. For this reason, Visa is asking its customers, and also vendors that accept their cards, to bolster their security and practice defensive awareness of threats.