Visa Alert: POS Malware Attacks PersistDevices at 2 Hospitality Firms Targeted
Despite the shift to e-commerce during the pandemic, attacks against POS devices persist. For example, Visa’s payment fraud disruption team uncovered recent malware attacks on POS devices used by two North American hospitality companies.
The attacks happened in May and June, according to the Visa alert. In the June incident, three POS malware variants designed to scrape payment card data were found on the targeted firm's network and devices.
"The recent attacks exemplify threat actors' continued interest in targeting merchant POS systems to harvest card present payment account data," according to the Visa alert.
The Visa report did not give specifics on the companies targeted, how much payment card data was stolen or how long these attacks continued.
"There is evidence to suggest that the actors employed various remote access tools and credential dumpers to gain initial access, move laterally and deploy the malware in the POS environment," according to the report.
The malware variants are designed to scrape payment card data from Windows-based POS devices, but each performs its functions differently, according to the report.
The RtPOS malware uses a specialized algorithm to check for payment card data before bundling the information into a file that the fraudsters later exfiltrates through a command-and-control server, the report notes.
The MMon malware, on the other hand, deploys a command-line memory scraping technique that collected payment card data from a POS device's memory. The Visa report notes this malicious code, in use since 2010, frequently is customized.
The PwnPOS malware creates persistence within POS devices and attempts to scrape payment card data from memory.
In the May attack that Visa analyzed, the researchers found that an employee at the targeted hospitality firm opened a phishing email that allowed a POS malware variant called TinyPOS to be installed throughout the company’s network and devices.
"Legitimate user accounts, including an administrator account, were compromised as part of this phishing attack and were used by the threat actors to log in to the merchant’s environment," according to the report. "The actors then used legitimate administrative tools to access the cardholder data environment within the merchant’s network."
The TinyPOS malware attempts to collect cardholder’s names, account numbers, expiration dates and other information.
Visa notes that the malware usually gathers all payment card data in a log file before sending it to the command-and-control server. But the log file was removed by the time the analysis started, according to the report.
In September, Visa issued a warning to merchants and customers about a digital skimmer called "Baka" that is stealing payment card data from e-commerce sites while hiding from security tools (see: Visa Warns of Fresh Skimmer Targeting E-Commerce Sites).
In a recent interview with Information Security Media Group, Gord Jamieson, the senior director of Canada risk services for Visa, noted that the company had seen an increase in social engineering techniques by fraudsters since the start of the COVID-19 pandemic (see: Battling Payment Card Fraud in the COVID-19 Era).