VISA Warns of POS Malware Campaigns in North America

Visa Payment Fraud Disruption (PFD) has warned of a malware campaign targeting point-of-sale (POS) terminals, as cybercriminals have a clear strategy to steal card data.

Credit card data sells at a premium on the dark web, and stealing it straight from POS devices is the shortest route for criminals. Unlike less sophisticated attacks, such as phishing, take longer. On the other hand, compromising POS devices is more difficult, requires technical knowledge, and is not a tool that”s widely available.

Attackers targeted two companies in North America. A successful phishing campaign allowed criminals to log in using legitimate user accounts, including an administrator account. With those credentials, the bad actors used administrative tools to access the cardholder data environment (CDE) within the merchant”s network.

“Once access to the CDE was established, the actors deployed a memory scraper to harvest track 1 and track 2 payment account data, and later used a batch script to mass deploy the malware across the merchant”s network to target various locations and their respective POS environments,” notes VISA in the advisory.

“The memory scraper harvested the payment card data and output the data into a log file. At the time of analysis, no network or exfiltration functions were present within the sample. Therefore, the actors would likely remove the output log file from the network using other means.”

The second attack, on a different merchant, was more sophisticated as criminals used the malware variants RtPOS, MMon (aka Kaptoxa) and PwnPOS. According to VISA, a lot less is known about the method employed by these attacks. The company could not recover the malware used.

VISA also published the indicators of compromise for each incident and a list of best practices:

• Employ the IOCs contained in the report to detect, remediate and prevent attacks using the POS malware variant.

• Secure remote access with strong passwords, ensure only the necessary individuals have permission for remote access, disable remote access when not needed, and use two-factor authentication for remote sessions.

• Enable EMV technologies for secure in-person payments (chip, contactless, mobile and QR code).

• Provide each admin user with individual credentials. User accounts should also only be provided with the permissions vital to the job responsibilities.

• Turn on heuristics (behavioral analysis) on anti-malware to search for suspicious behavior, and update anti-malware applications.

• Monitor network traffic for suspicious connections and log system and network events.

• Implement Network Segmentation, where possible, to prevent the spread of malicious software and limit an attacker”s foothold.

• Maintain a patch management program.