The US payments processor revealed that two North American hospitality merchants were hacked and infected the systems with point-of-sale (POS) malware.
The US payments processor revealed that two North American hospitality merchants were hacked and infected the systems with point-of-sale (POS) malware.
Visa Payment Fraud Disruption (PFD) analysed malware samples recovered from the independent compromise of two North American merchants.
According to a security alert disclosed last week, the attack took place in May and June 2020.
“In these incidents, criminals targeted the merchant’s point-of-sale (POS) terminals in an effort to harvest and exfiltrate payment card data. Subsequent to analysis, the first attack was attributed to the malware variant Tiny POS, and the second to a mix of POS malware families including RtPOS, Mon (aka Kaptoxa, BlackPOS), and PwnPOS, ” reads the VISA security alert.
A description of the two security breaches and the malware used in attacks was published to help other companies in the hospitality sector scan their networks for the presence of the same threat actors.
In May incident the attackers used TinyPOS malware strain to compromise the network of a North American hospitality merchant.
The attackers made the entry to the merchant network through a phishing campaign that targeted employees at the merchant. As a part of this phishing campaign, legitimate user accounts, including an administrator account, were compromised and were used by the threat actors to log in to the merchant’s environment. Later the acts used legitimate administrative tools to access the cardholder data environment (CDE) within the merchant’s network.
"Once access to the CDE was established, the actors deployed a memory scraper to harvest track 1 and track 2 payment account data, and later used a batch script to mass deploy the malware across the merchant's network to target various locations and their respective POS environments. The memory scraper harvested the payment card data and output the data into a log file. At the time of analysis, no network or exfiltration functions were present within the sample. Therefore, the actors would likely remove the output log file from the network using other means,” continues the report.
The recent attacks illustrate that the threat actors continue to target merchant POS systems to harvest card-present payment account data.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?