Cybercriminals have since the beginning of the year launched several attacks on private and government agencies, especially the ones that deal with credit cards of customers. A recent report published has revealed that attackers have made gas stations in North America their major targets with a number of recorded incidents on fuel dispenser merchants.
According to the Visa Payment Fraud Disruption (PFD), three major incidents of cyber attacks launched on the Point of Sale (PoS) system of merchants were recorded in the summer of 2019. Out of these incidents, two were launched on fuel dispenser merchants’ PoS systems in North America, and the attacks are believed to have been carried by sophisticated cybercrime groups.
Image Source: www.scitechdaily.com
The Payment Fraud Disruption explained the first incident concerning the North American fuel dispenser merchants. According to the report, the cybercriminals launched a phishing attack on the employee by sending a malicious link to the employee’s email. The link was created to install a Remote Access Trojan on the merchant network when clicked on, to give the cybercriminals access to the network. The hacker then conducted reconnaissance of the corporate network, obtained credentials and moved freely into the PoS environment. The report further reveals that the cybercriminals then released a Random Access Memory Scraper on the PoS to obtain the payment card data.
The second incident on the North American fuel dispenser merchants was quite similar to the first one with the actor targeting the PoS environment of the merchant. How the cybercriminals were able to move into the PoS environment is unknown, but it was reported that they gained network access, moved into the PoS environment and deployed RAM Scraper into the environment to steal payment card data.
A forensic analysis conducted on the target network reveals multiple incidents of compromise, which according to the report, is linked to a sophisticated cybercrime group called FIN8. FIN8 is said to be a financially motivated hacking group that has been operating since 2016. Aside from the attack on fuel dispenser merchants, they are known for attacking the PoS environment of retails, restaurants and others to obtain payment card data. The analysis identified wmsetup.tmp as a temporal output file created by the malware. This file was used to host the scraped payment data, and according to the investigation, the same file was found in previous attacks launched by the FIN8 hacking group.
In addition to the previous fuel dispenser merchant analysis, the PFD conducted another analysis on the third incidents and discovered that the malware obtained from the network of compromised North American hospitality merchant was linked to the FIN8 group. In this attack, they used the FIN8-attributed malware and also used a new malware that has not been seen in any of their previous attacks. The report suspects that though FIN8 used an absolutely new malware in its third attack, the malware will definitely be launched on fuel dispenser merchants in the future.
Image Source: www.cnet.com
The VISA has provided guidelines to acquirers and merchants to prevent any future attack by the cybercriminals. They recommend that the Incident of Compromised (IoC) in the report should be used to detect, remediate and prevent attacks by using the PoS malware variants. Also, it is recommended that merchants monitor the network connection for a suspicious connection.
It is also suggested that acquirers and merchants implement network segmentation to prevent the spread of malicious attacks. Also, enable EMV technologies for a total secure in-person payment. As part of the recommendation, admin users have been recommended to be given their own login credentials for easy monitoring of activities. Also, maintain patch management programs and update all software and hardware to the latest release. Finally, secure remote access with a strong password and ensure that only the relevant personnel have the permission to access.
Fuel dispenser merchants have been said to be the latest target of the cybercriminals, and it is advised that the necessary measures should be taken to offset all the possible attacks launched by malicious actors in the future.
Source: The Drive
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.