ATM / POS Fraud , Endpoint Security , Fraud Management & Cybercrime

Visa Alert: POS Malware Attacks Persist

Devices at 2 Hospitality Firms Targeted
Visa Alert: POS Malware Attacks Persist

Despite the shift to e-commerce during the pandemic, attacks against POS devices persist. For example, Visa's payment fraud disruption team uncovered recent malware attacks on POS devices used by two North American hospitality companies.

See Also: Rapid Digitization and Risk: A Roundtable Preview

The attacks happened in May and June, according to the Visa alert. In the June incident, three POS malware variants designed to scrape payment card data were found on the targeted firm's network and devices.

"The recent attacks exemplify threat actors' continued interest in targeting merchant POS systems to harvest card present payment account data," according to the Visa alert.

The Visa report did not give specifics on the companies targeted, how much payment card data was stolen or how long these attacks continued.

Three Variants

The three POS malware variants that targeted one hospitality company in June were identified as RtPOS, MMon and PwnPOS, according to the Visa report.

"There is evidence to suggest that the actors employed various remote access tools and credential dumpers to gain initial access, move laterally and deploy the malware in the POS environment," according to the report.

The malware variants are designed to scrape payment card data from Windows-based POS devices, but each performs its functions differently, according to the report.

The RtPOS malware uses a specialized algorithm to check for payment card data before bundling the information into a file that the fraudsters later exfiltrates through a command-and-control server, the report notes.

The MMon malware, on the other hand, deploys a command-line memory scraping technique that collected payment card data from a POS device's memory. The Visa report notes this malicious code, in use since 2010, frequently is customized.

The PwnPOS malware creates persistence within POS devices and attempts to scrape payment card data from memory.

Second Attack

In the May attack that Visa analyzed, the researchers found that an employee at the targeted hospitality firm opened a phishing email that allowed a POS malware variant called TinyPOS to be installed throughout the company's network and devices.

"Legitimate user accounts, including an administrator account, were compromised as part of this phishing attack and were used by the threat actors to log in to the merchant's environment," according to the report. "The actors then used legitimate administrative tools to access the cardholder data environment within the merchant's network."

The TinyPOS malware attempts to collect cardholder's names, account numbers, expiration dates and other information.

Visa notes that the malware usually gathers all payment card data in a log file before sending it to the command-and-control server. But the log file was removed by the time the analysis started, according to the report.

Other Attacks

In September, Visa issued a warning to merchants and customers about a digital skimmer called "Baka" that is stealing payment card data from e-commerce sites while hiding from security tools (see: Visa Warns of Fresh Skimmer Targeting E-Commerce Sites).

In a recent interview with Information Security Media Group, Gord Jamieson, the senior director of Canada risk services for Visa, noted that the company had seen an increase in social engineering techniques by fraudsters since the start of the COVID-19 pandemic (see: Battling Payment Card Fraud in the COVID-19 Era).


About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.