Two hospitality merchants in North America were compromised by point-of-sale malware in May and June of this year, Visa said in a recent technical report.
The report from Visa Payment Fraud Disruption team didn’t name the affected companies or provide specifics about the breach, such as what was stolen or how many consumers were affected. Instead, the breach focused on the malware, tactics, and indicators of compromise. The report did not suggest that the two compromises were related.
With the shutdown of many businesses and restrictions on travel and retail due to the pandemic, there are more transactions involving non-cash payment methods, such as mobile wallets and contactless "tap and go" transactions, according to PSCU's weekly transaction analysis reports. Payment Systems for Credit Unions is the largest credit union service organization in the United States. PSCU said 40.9 percent of credit card transactions were card-not-present transactions (such as online shopping) as of the end of September, which means there are still plenty of cards being inserted into point-of-sale systems or swiped.
"The recent attacks exemplify threat actors’ continued interest in targeting merchant POS systems to harvest card present payment account data," the report said.
A hospitality company was infected with a variant of TinyPOS malware and Track 1 and Track 2 payment account data was stolen, the report said. The memory scraper gathered the data and wrote them to logfiles and a separate batch file handled the process of sending the files outside the network.
POS malware infects point-of-service applications and scrapes payment card details from system memory as the application processes the data. Track 1 and Track 2 refers to the data that is stored on the magnetic stripe on payment card, and includes the account number, expiration date, the three-digit code to verify card is present, and the name of the cardholder.
The actors gained access to the network after a successful phishing campaign compromised credentials for several user accounts and an administrator account. The actors used the stolen credentials and PowerShell to access the cardholder data environment within the merchant's network. The memory scraper malware used was a variant of TinyPOS—and the attack code was appended to a manipulated image file. The file is displayed correctly in an image viewer, but the hidden code runs in the background to scrape data and prepare it for exfiltration.
The investigation team was not able to determine how the attackers initially got into the second merchant's networks, or how the stolen data was exfiltrated. The team found clues suggesting the attackers "employed remote access tools and credential dumpers to gain initial access, move laterally, and deploy the malware in the POS environment." The evidence collected suggested that the attackers relied on a cocktail of POS malware, including MMon (also known as Картоха on crimeware forums), PwnPOS, and RtPOS.
RtPOS gained persistence on the point-of-service terminal by installing itself as a service. The malware iterated all the processes running on the compromised system and then scraped memory for any Track 1 and Track 2 data. MMon scraped memory. PwnPOS established persistence, checked to make sure the account had administrator-level privileges, and also scraped data from memory.
The report reiterated the security best practices to patch vulnerable systems, monitor network traffic for suspicious activities, and restricting privileges on user accounts to only what is necessary. The report emphasized enabling two-factor authentication on remote session, disabling remote access when not in use, and segmenting networks so that even if one part is compromised, the attacker can't easily move to other parts of the network. Organizations should also enable EMV technology, such as contactless, mobile, and chip, for point-of-sale applications since they are more secure than the older systems.