Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Visa Warns of Attack Involving Mix of POS Malware

A North American merchant’s point-of-sale (POS) terminals were infected with a mix of POS malware earlier this year, Visa reports.

A North American merchant’s point-of-sale (POS) terminals were infected with a mix of POS malware earlier this year, Visa reports.

In May and June 2020, the company analyzed malware variants used in independent attacks on two North American merchants, one of which employed a TinyPOS variant, while the other involved a mix of malware families such as MMon (aka Kaptoxa), PwnPOS, and RtPOS.

As part of the first attack, phishing emails were sent to a North American hospitality merchant’s employees to compromise user accounts, including an administrator account, and legitimate administrative tools were used to access the cardholder data environment (CDE) within the network.

Next, the attackers deployed the TinyPOS memory scraper to gather Track 1 and Track 2 payment card data and leveraged a batch script to deploy the malware en masse across the network. The analyzed malware sample did not contain network or exfiltration functions.

In addition to harvesting card data and preparing it for exfiltration, the malware can enumerate processes running on the system to identify those pertaining to specific POS software.

As for the second attack, while Visa’s researchers couldn’t identify the exact intrusion vector, they managed to gather evidence suggesting the adversary used remote access tools and credential dumpers for initial access, lateral movement, and malware deployment.

“The malware utilized in these stages of the compromise was not recovered. The POS malware variants used in this attack targeted track 1 and track 2 payment account data,” Visa explains in a technical report.

The RtPOS sample used in this attack iterates the available processes to identify those of interest, gains access to the compromised system’s memory space, and attempts to validate all Track 1 and Track 2 data that it finds, using a Luhn algorithm.

Advertisement. Scroll to continue reading.

MMon (“memory monitor”), also referred to as Картоха on underground forums, has been around for roughly a decade, and so far powered POS scraping malware such as JavalinPOS, BlackPOS, POSRAM, and more.

PwnPOS can achieve persistence through installing itself as a service, employs the Luhn algorithm to identify card data and writes the data to a file in plain text, and logs its own general behavior to a log file.

To reduce the risk of exposure to POS malware, merchants are advised to use available IOCs to improve detection and remediation, secure remote access, employ unique credentials for each administrative account, monitor network traffic, implement network segmentation, enable behavioral detection, and ensure all software is up-to-date with the latest patches.

Related: Visa Issues Alert for ‘Baka’ JavaScript Skimmer

Related: Driver Vulnerabilities Facilitate Attacks on ATMs, PoS Systems

Related: Sodinokibi Ransomware Operators Target POS Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.