Payment processor company Visa has issued a warning for its users regarding a Point of Sale (POS) malware attacks that have been witnessed at fuel dispenser merchants in North America. Visa Payment Fraud Disruption (PFD) has identified these attacks saying that there these merchants are an increasingly attractive target for cybercrime groups.
PFD categorises the attacks in two parts. In the first case, the attack happens through a phishing email sent to an employee. Liking every phishing email, this too includes a malicious link that, when clicked, installed a Remote Access Trojan (RAT) on the merchant’s network and granted the attackers network access. Then they obtain and utilise the credentials to move laterally into the Point of Sale environment of the merchant. PFD says that the lack of network segmentation between the Cardholder Data Environment (CDE) and corporate network enables this lateral movement. Once the attackers get access to POS environment, a Random Access Memory (RAM) scraper gets deployed on the POS system to gather payment card data.
In another case, PFD says that “…although it is unclear how the actors gained this initial access, and moved laterally within the network to the POS environment,” the actors again obtained network access to the targeted merchant. In its research, PFD found that the targeted merchant accepted both chip transactions at the in-store terminals and magnetic stripe transactions at fuel pumps and the malware injected into the POS environment appears to have targeted the magnetic stripe/track data specifically. Therefore, the payment cards used at the non-chip fuel pumps were at risk in the POS environment.
As part of recommendations, Visa has suggested that merchants should take actions like securing remote access with strong passwords and enabling EMV technologies for secure in-person payments (chip, contactless, mobile and QR code).