Hacker Infects Gas Pumps with Code to Cheat Customers

Russian authorities have broken up a crime ring involving a hacker and willing gas-station employees who have used malicious software to cheat customers of gas.

Authorities in Russia have broken up a widespread scheme involving dozens of gas-station employees who used software programs on electronic gas pumps to con customers into paying for more fuel than then actually pumped into their tank. The scam shorted customers between 3-to-7 percent per gallon of gas pumped.

On Saturday, Russian Federal Security Service (FSB) arrested hacker Denis Zayev in Stavropol, Russia on charges he created several software programs designed to swindler gas customers, according to multiple Russian media reports.

The software was found only on gas stations located predominantly throughout the south of Russia.

The FSB did not return email request for comment on this story.

Zayev is accused of developing the software programs and selling them to rogue gas-station employees. Under the arraignment, both gas-station employees and Zayev received a cut of the money customers overpaid for gas. According to the FSB, the crime earned Zayev and gas station employees “hundreds of millions of rubles.”

A translated report from news source Rosbalt said the malicious software was nearly impossible to detect by local inspectors and oil companies that monitor gasoline inventory remotely.

According to the report, not only did pumps display false data, but also cash registers and back-end systems.  Next, Zayev’s software was able to cloak sales data tied to the sale of a station’s illicit surplus gasoline.

It’s unclear what tipped Russian authorities off to the scam.

Hackers targeting gas stations isn’t new. In 2014,  New York state authorities charged 13 men for using Bluetooth-enabled skimmers to steal more than $2 million from customers at gas stations across the Southern United States between 2012 and 2013.

A 2015 Black Hat presentation (PDF) by researchers Kyle Wilhoit and Stephen Hilt, also highlighted dangers of a growing number of internet-exposed gas pump monitoring systems in the U.S. They warned exposed SCADA systems could allow malicious actors to carry out DDoS attacks against pumps, register incorrect fill data and damage engines by manipulating pumps to serve diesel fuel instead of unleaded.

Suggested articles

Discussion

  • Jim Maddison on

    This has been going on in the U.K. for years. It’s called government and business greed
    • KDD on

      US federal and state governments also.
  • Ron on

    The last 'graph does nothing but damage the credibility of the author. The claims of danger there, and in the cited presentation, are absurd.
  • Terry on

    The use of chip technology has eliminated much of the skimming oh mag stripe info, subsequently these very smart thieves are employing this sophisticated software to dupe the customer

Leave A Comment

 

07/19/18 3:00
The average payout price for #BugBounty critical vulnerabilities are up six percent and now average $2,041 compared… https://t.co/YM4fRYUQQI

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.