Criminal hacking group FIN8, known for a flurry of
attacks in 2017 followed by a period of silence in 2018 until re-emerging
earlier this year, has recently carried out three attacks against point-of-sale
(POS) systems, including two against North American fuel dispenser merchants, Visa
Payment Fraud Disruption said.
Visa said the attacks on fuel dispenser merchants aimed
to steal credit card data directly from the POS systems. As is usually the case,
the hacker’s success was due to a mix of human mistakes and lack of proper
security protocols.
To steal credit card data, hackers need to go through a
number of steps. In the FIN8 attack, it started with an employee opening a
phishing email, which installed a Remote Access Trojan (RAT) on the merchant
network and granted the threat actors network access.
“The actors then conducted reconnaissance of the
corporate network, and obtained and utilized credentials to move laterally into
the POS environment,” reads
the Visa Payment Fraud Disruption report.
“There was also a lack of network segmentation between
the Cardholder Data Environment (CDE) and corporate network, which enabled
lateral movement. Once the POS environment was successfully accessed, a Random
Access Memory (RAM) scraper was deployed on the POS system to harvest payment
card data.”
The RAM scraper is a piece of software that can be used
in a variety of ways, depending on what it’s designed to do. It can be used as
a keylogger and can even send the data collected directly to the hackers.
A third attack against the network of a compromised North
American hospitality merchant was also attributed FIN8, which is known for
spearphishing attacks against the restaurant, hotel and hospitality sectors. The
third attack used most of the same techniques, including a new shellcode
backdoor based on the RM3 variant of the Ursnif (aka Gozi/Gozi-ISFB) modular
banking malware.
Besides the improper employee training which lead to the
one of them falling for phishing email, the hack was successful because the
merchants lacked secure acceptance technology (e.g. EMV Chip, Point-to-Point
Encryption, Tokenization, etc.) and didn’t comply with PCI DSS.
Visa warns any merchant that uses POS systems to secure
their networks, to install and update security solutions, and most importantly,
to pay close attention to phishing emails.