In a security alert published on Thursday, US payments processor Visa revealed that two North American hospitality merchants were hacked and had their system infected with point-of-sale (POS) malware earlier this year.
POS malware is designed to infect Windows systems, seek POS applications, and then search and monitor the computer’s memory for payment card details that are being processed inside the POS payments apps.
“In May and June 2020, respectively, Visa Payment Fraud Disruption (PFD) analyzed malware samples recovered from the independent compromises of two North American merchants,” Visa said.
The US payments processor didn’t name either of the two victims due to non-disclosure agreements involved in investigating the incidents.
Visa published on Thursday a security alert [PDF] with a description of the two security breaches and the malware used in the attacks in order to help other companies in the hospitality sector scan their networks for indicators of compromise.
June hack: Hackers used three different POS malware strains
Of the two incidents, the second one that occurred in June is the most interesting, from an incident response (IR) perspective.
Visa said it found three different strains of POS malware on the victim network — namely RtPOS, MMon (aka Kaptoxa), and PwnPOS.
The reason why the malware gang deployed three malware strains is unknown, but it could be that attackers wanted to make sure they get all the payment data from across different systems.
Visa, which also provides incident response services in financial crime-related breaches, said the intruders breached the hospitality firm’s network, “employed remote access tools and credential dumpers to gain initial access, move laterally, and deploy the malware in the POS environment.”
The payments processor wasn’t able to determine how the intruders breached the company’s network in the first place.
May hack: The entry point was a phishing email
They were, however, able to determine the entry point in the first hack, which occurred in May.
“Initial access to the merchant network was obtained through a phishing campaign that targeted employees at the merchant. Legitimate user accounts, including an administrator account, were compromised as part of this phishing attack and were used by the threat actors to login to the merchant’s environment. The actors then used legitimate administrative tools to access the cardholder data environment (CDE) within the merchant’s network.
“Once access to the CDE was established, the actors deployed a memory scraper to harvest track 1 and track 2 payment account data, and later used a batch script to mass deploy the malware across the merchant’s network to target various locations and their respective POS environments. The memory scraper harvested the payment card data and output the data into a log file. At the time of analysis, no network or exfiltration functions were present within the sample. Therefore, the actors would likely remove the output log file from the network using other means.”
The POS malware used in this incident was identified as a version of the TinyPOS strain.
The two recent attacks show that despite the recent rise and attention that web skimming (magecart) and ransomware incidents are getting in the media, cybercrime gangs have not abandoned targeting POS systems.
“The recent attacks exemplify threat actors’ continued interest in targeting merchant POS systems to harvest card present payment account data,” Visa said.