Posted on December 16, 2019 at 3:43 PM
Payment processor Visa has warned that the POS systems of fuel stations merchants are being targeted. The card company says hackers are trying to install malware on their networks. The attackers may have found a weak link and discovered how the gas pump and gas stations operators function. Last month, Visa warned of an imminent attack after investigating a series of incidents relating to similar attacks on POS.
The POS malware carries out its activity by scraping the computer’s RAM to gain access to customers’ unencrypted payment data cards. It then retrieves the information and sends it to a remote server. While the POS terminals of some other types of merchants support pin and chip transactions, those used on gas pumps do not use the same technology.
The card readers installed on gas pumps still make use of an older technology that is only able to decode customers’ payment data from the magnetic stripe of the card. This makes them more vulnerable to attacks. And, according to VISA, some hackers have found a way to infiltrate their system.
Attackers targeting fuel dispensers
VISA Payment Fraud Disruption (PFD) said it had identified the first hacking incident, where the perpetrators targeted fuel dispenser merchants. It said that the unidentified attackers used a phishing email that compromised their target. It enabled them to use a Remote Access Trojan (RAT) to infect one of the systems.
Once they have infected the system, the hackers had total access, which makes it very easy to gain enough credentials from the network. With access, the hackers were able to go through the network’s POS system to gain access to sensitive information. They employed the final stage of the attack by using a RAM scraper. With the scraper, they were able to steal the payment card data of customers who used the POS system.
How hackers are infiltrating the POS system
These hackers made use of a relatively unfamiliar vector model to gain access to the network and infect the POS system with the malware. They used the RAM scraper which infiltrated magnetic stripe transactions in particular.
VISA says that the malware used in the POS attack deployed wmsetup.tmp, a temporary output file, which accommodated the scraped payment data. According to Visa, the file was previously known for its attacks on FIN8 and other malware associated with FIN8. A new malware that works on the RM3 variant was also discovered. It’s a banking malware that attacks through exploit kits and phishing methods.
Although this new malware was not used in the fuel dispenser merchant attack, Visa said it is still possible for the malware to be deployed in future attacks that target dispenser merchants.
Some security researchers have been monitoring similar attacks for the past four years. They have confirmed that there is evidence of these malware attacks on POS of some gas stations. These attackers can take very sensitive information about customers from the POS dispenser and send them to a remote server.
Magnetic Stripe POS system under radar
VISA has also warned that the POS system of Magnetic Stripe could come under attack as hackers have been targeting the system. VISA pointed out that the attack model of these hackers is quite different from the popular skimming methods at fuel pumps.
The Card Company stated that this model requires more technical ability as the threat actors gain access to the merchant’s internal network. It required a high level of technical competence to achieve such a hacking feat, according to VISA. The POS system is very sophisticated to breach, but these new threat actors still find a way to breach into the internal system of the merchant. VISA says it is different from the skimming threat.
The payment processor warns that fuel dispenser merchants should be alert and provide counter-measures to protect their network. They can use devices that provide support for a chip because it will reduce the possibility of these attacks to a great extent. VISA has been providing acquirers and merchants with different measures they can use to prevent these attacks on their network.