Visa has announced in a release that cybercriminals are employing new tactics to steal credit card information from around the U.S.
While most are familiar with “skimming” attacks at gas stations, where criminals install a physical piece of scanning technology on an actual fuel dispenser, the new attacks are more complicated and require more technical knowledge.
Visa identified three different types of attacks.
“The threat actors compromised the merchant via a phishing email sent to an employee. The email contained a malicious link that, when clicked, installed a Remote Access Trojan (RAT) on the merchant network and granted the threat actors network access,” Visa said.
“The actors then conducted reconnaissance of the corporate network, and obtained and utilized credentials to move laterally into the POS environment. There was also a lack of network segmentation between the Cardholder Data Environment (CDE) and corporate network, which enabled lateral movement. Once the POS environment was successfully accessed, a Random Access Memory (RAM) scraper was deployed on the POS system to harvest payment card data.”
The second attack identified a different breach of access inside the fuel dispenser system. The criminals gained access and then moved laterally inside of the POS environment, although how they got access is not known.
“A RAM scraper was injected into the POS environment and was used to harvest payment card data. The targeted merchant accepted both chip transactions at the in-store terminals and magnetic stripe transactions at fuel pumps,” Visa said, “and the malware injected into the POS environment appears to have targeted the mag stripe/track data specifically. Therefore, the payment cards used at the non-chip fuel pumps were at risk in the POS environment.”
The third attack was perpetrated on a hospitality merchant, but could eventually be used at a gas station. Visa thinks that cybercrime group FIN8 may be responsible for this particular attack.
“The attack used a FIN8-attributed malware, but also used new malware not previously seen employed by the group in the wild. The new malware is a full-featured shellcode backdoor that is based on the RM3 variant of the Ursnif (aka Gozi/Gozi-ISFB) modular banking malware. While the malware used in this attack was not identified in the attacks against the fuel dispenser merchants, it is possible FIN8 will use this malware in future operations targeting fuel dispenser merchants,” Visa said.