FIN8 Targets Card Data at Fuel Pumps

Paying at the pump has landed in the sights of the notorious PoS-skimming group.

The notorious FIN8 cybercrime group has a new target when it comes to skimming payment-card details from consumers: Point-of-sale (PoS) systems used at fuel pumps at gas stations.

Visa warned this week in a public alert posted online that its Payment Fraud Disruption (PFD) department has seen at least two separate campaigns emerging this past summer that targeted fuel pumps.

“PFD recently reported on the observed increase of PoS attacks against fuel dispenser merchants, and it is likely these merchants are an increasingly attractive target for cybercrime groups,” according to the Visa alert.

Webinar Promotion for December

Researchers attributed the attacks to FIN8, the financially motivated threat group whose typical mode of attack is to steal payment-card data from PoS environments, particularly those of retailers, restaurants and hospitality providers.  The group has been active since at least 2016, but appeared to go quiet for a while in late 2017 before emerging again earlier this year with a raft of new tools and new attacks, starting with several in the hotel industry detected in July.

Visa researchers recovered command-and-control (C2) domains previously used by FIN8 in threat activity from the attacks they observed, pointing to their involvement. Some of the malware used in the attack that created a temporary output file, wmsetup.tmp, to scrape payment data also was associated with malware and tactics previously used by the group, according to Visa.

The first attack compromised the PoS system of “a North American fuel dispenser merchant” using a phishing email sent to an employee that included a malicious link. Once clicked on, the ink installed a remote access trojan (RAT) on the merchant network, which allowed the attackers access. Once they were inside the system, the threat actors found credentials on the corporate network and were able to move laterally into the PoS environment, which was not difficult to do because the system lacked segmentation between the cardholder data environment (CDE) and corporate network, according to Visa. Attackers then used a RAM scraper to harvest payment-card data from the PoS system.

The second attack had a similar target – a North American gas-pump dispenser – but Visa PFD researchers said they were unsure of how attackers gained initial access to the merchant’s network environment. However, in a similar way, the threat actors moved laterally to the PoS network and used a RAM scraper to steal customer card information, according to Visa.

This attack was slightly different from the first, however, in that the merchant accepted both chip transactions at the in-store terminals and magnetic stripe transactions at fuel pumps. The malware used by attackers targeted data from the magnetic-stripe transactions specifically, while those using chips transactions in-store were left unscathed from the attack.

Even before Visa’s warning of increased attacks, there has been evidence of the rise of fuel pumps as targets for cybercriminals. Since their inception, these systems have proven to be a rather easy target for threat actors due to their inherent lack of security, with a ramp up of attacks that started early last year.

In fact, in both of the two recent pump incidents, researchers observed security flaws on the part of the merchants that put payment-card data at risk, including lack of secure acceptance technology – such as EMV chip, point-to-point encryption or tokenization – and non-compliance with PCI DSS, according to the alert.

In addition to payment-card scrapers used in these recent attacks, researchers also have previously observed the widespread use of Bluetooth-enabled skimmers to steal payment information from fuel pumps, according to a published report.

Free Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.