2 min read

VISA Warns of POS Malware Campaigns in North America

Silviu STAHIE

October 07, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
VISA Warns of POS Malware Campaigns in North America

Visa Payment Fraud Disruption (PFD) has warned of a malware campaign targeting point-of-sale (POS) terminals, as cybercriminals have a clear strategy to steal card data.

Credit card data sells at a premium on the dark web, and stealing it straight from POS devices is the shortest route for criminals. Unlike less sophisticated attacks, such as phishing, take longer. On the other hand, compromising POS devices is more difficult, requires technical knowledge, and is not a tool that”s widely available.

Attackers targeted two companies in North America. A successful phishing campaign allowed criminals to log in using legitimate user accounts, including an administrator account. With those credentials, the bad actors used administrative tools to access the cardholder data environment (CDE) within the merchant”s network.

“Once access to the CDE was established, the actors deployed a memory scraper to harvest track 1 and track 2 payment account data, and later used a batch script to mass deploy the malware across the merchant”s network to target various locations and their respective POS environments,” notes VISA in the advisory.

“The memory scraper harvested the payment card data and output the data into a log file. At the time of analysis, no network or exfiltration functions were present within the sample. Therefore, the actors would likely remove the output log file from the network using other means.”

The second attack, on a different merchant, was more sophisticated as criminals used the malware variants RtPOS, MMon (aka Kaptoxa) and PwnPOS. According to VISA, a lot less is known about the method employed by these attacks. The company could not recover the malware used.

VISA also published the indicators of compromise for each incident and a list of best practices:

• Employ the IOCs contained in the report to detect, remediate and prevent attacks using the POS malware variant.

• Secure remote access with strong passwords, ensure only the necessary individuals have permission for remote access, disable remote access when not needed, and use two-factor authentication for remote sessions.

• Enable EMV technologies for secure in-person payments (chip, contactless, mobile and QR code).

• Provide each admin user with individual credentials. User accounts should also only be provided with the permissions vital to the job responsibilities.

• Turn on heuristics (behavioral analysis) on anti-malware to search for suspicious behavior, and update anti-malware applications.

• Monitor network traffic for suspicious connections and log system and network events.

• Implement Network Segmentation, where possible, to prevent the spread of malicious software and limit an attacker”s foothold.

• Maintain a patch management program.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read