Criminal hacking group FIN8, known for a flurry of attacks in 2017 followed by a period of silence in 2018 until re-emerging earlier this year, has recently carried out three attacks against point-of-sale (POS) systems, including two against North American fuel dispenser merchants, Visa Payment Fraud Disruption said.
Visa said the attacks on fuel dispenser merchants aimed to steal credit card data directly from the POS systems. As is usually the case, the hacker’s success was due to a mix of human mistakes and lack of proper security protocols.
To steal credit card data, hackers need to go through a number of steps. In the FIN8 attack, it started with an employee opening a phishing email, which installed a Remote Access Trojan (RAT) on the merchant network and granted the threat actors network access.
“The actors then conducted reconnaissance of the corporate network, and obtained and utilized credentials to move laterally into the POS environment,” reads the Visa Payment Fraud Disruption report.
“There was also a lack of network segmentation between the Cardholder Data Environment (CDE) and corporate network, which enabled lateral movement. Once the POS environment was successfully accessed, a Random Access Memory (RAM) scraper was deployed on the POS system to harvest payment card data.”
The RAM scraper is a piece of software that can be used in a variety of ways, depending on what it’s designed to do. It can be used as a keylogger and can even send the data collected directly to the hackers.
A third attack against the network of a compromised North American hospitality merchant was also attributed FIN8, which is known for spearphishing attacks against the restaurant, hotel and hospitality sectors. The third attack used most of the same techniques, including a new shellcode backdoor based on the RM3 variant of the Ursnif (aka Gozi/Gozi-ISFB) modular banking malware.
Besides the improper employee training which lead to the one of them falling for phishing email, the hack was successful because the merchants lacked secure acceptance technology (e.g. EMV Chip, Point-to-Point Encryption, Tokenization, etc.) and didn’t comply with PCI DSS.
Visa warns any merchant that uses POS systems to secure their networks, to install and update security solutions, and most importantly, to pay close attention to phishing emails.