Visa Warns Hospitality Merchants of Nasty POS Malware Infection

• Visa unearthed two POS malware infections on North American hospitality service providers.
• The customers of the unnamed businesses had their card and payment details scraped on May and June 2020.
• The actors used a mix of malware strains, network infiltration methods, and manual log exfiltration.

Visa, the multinational payments processor and financial services provider, has discovered two widespread POS (point of sale) malware infections in North America, which affected two North American hospitality merchants. More specifically, the ‘Visa Payment Fraud Disruption’ team has analyzed malware samples from two independent infections. The first one involved the variant known as “TinyPos,” while the second used a mix of malicious strains like “RtPOS,” “Mmon,” and “PwnPOS.” The infections were just published via a relevant report, but they took place in May and June 2020.

Unfortunately, Visa hasn’t named the companies affected by this, so customers rely on the breached organizations’ responsibility to inform them. The actors behind these attacks haven’t been identified either, but their methods were recorded in detail. Visa describes a diligent procedure starting with a phishing campaign that targeted the employees of the target merchants. From there, the hackers compromised the stolen accounts and accessed the cardholder data environment (CDE) to deploy the malware.

The POS malware then scraped payment card data and kept the logs locally stored. The hackers manually exfiltrated these logs at a later time, avoiding any risks to raise security flags due to auto-exfiltration functions. Visa has an obscure picture of the actual details of these steps and the deployment of remote access tools and credential dumpers. They know this happened, but the specifics remain elusive.

POS malware is a very dangerous type of infection because the customers have no way to evaluate the potential risk and protect themselves. They just have to trust that the POS is clean and that no scrappers are running under the hood. As we have repeatedly discovered in the recent past, this is not always the case, and the possibility of having your payment data (cardholder name, credit card number, expiration date, and the CVV) compromised is always real.

Cashless payments are a standard and even preferable way to carry out financial transactions today. Still, if you have the option to use an electronic method, you should go for it instead.

As for merchants, Visa suggests the following security measures to be taken:

• Employ the IOCs contained in relevant reports
• Secure remote access with strong passwords
• Enable EMV technologies for secure in-person payments
• Provide each Admin user with their own user credentials
• Turn on heuristics (behavioral analysis) on anti-malware
• Monitor network traffic for suspicious connections
• Implement Network Segmentation
• Maintain a patch management program