Case Study – Spearphishing Compromises Fuel Chain Credit Card Transactions, Ends in Ransomware Cyber

or to bookmark this page

Click here to bookmark this page

Click here to remove bookmark

Case Study – Spearphishing Compromises Fuel Chain Credit Card Transactions, Ends in Ransomware

Case Study| Spearphishing Compromises Fuel Chain Credit Card Transactions, Ends in Ransomware

Credit card attacks typically target point of sale (PoS) terminals at retail locations such as stores, restaurants and hotels. In the early stages of the COVID-19 pandemic, in-person retail activity greatly diminished, forcing criminals to seek other targets and to virtualize their operations. Gas stations are unique in that they remained a viable target during lockdown, and one cybercrime group took advantage of this to target a regional fuel chain through phishing rather than the traditional physical skimming device.

This incident was a multi-stage and well-executed attack. From a single point of entry, the attackers were able to compromise gas stations across the region via the network for their in-store coffee shops. From there, malware was installed on fuel controllers, enabling large-scale theft of payment card data.

PCI Forensic Investigation (PFI) Request

A PCI Forensic Investigation is intended to determine the occurrence, scope and potential causes of a potential breach of cardholder data protected under PCI DSS. A PFI can only be carried out by a certified PCI Forensic Investigator accredited by the PCI Council.

Case Study| Spearphishing Compromises Fuel Chain Credit Card Transactions, Ends in Ransomware

In this case, the PFI was inspired by a common purchase point (CPP) investigation. Analysis of a collection of credit cards used in fraud can determine if multiple cards were used at the same location at approximately the same time. If so, it is likely that the criminals gained access to the card information via a breach at that common point where the cards were used.
The evidence of a potential breach of cardholder data at the client’s gas stations led them to request Kroll investigators to perform a PFI. The investigation's objective was to determine if the fraudulent transactions associated with cards used at the gas station indicated a breach of the client’s systems.

The main challenge of a PFI is identifying whether the fraud is associated with a compromise in the client’s network. A thorough investigation is required to either reject the explanation that a breach occurred or to identify all potential intrusions within the client’s network and systems.

Endpoint Monitoring Across Fuel Controllers

Kroll used endpoint monitoring solutions to pull event logs from all of the fuel controllers within the customer environment. This enabled them to perform cross-correlation of event data across these controllers and search for evidence of potentially suspicious or malicious activity.

Investigation of the event logs led to the discovery of an encoded PowerShell program installed on each of the fuel controllers. Decoding the PowerShell revealed that the malware was making outbound connections to IP addresses located in Asia over port 443.

Reverse Engineering Malware

After identifying the malicious code, Kroll investigators executed it in a sandboxed environment.  While it was running, the PowerShell created an output file that contained encrypted data.

Analysis of the PowerShell program enabled Kroll analysts to identify the encryption key used to create the output file and to decrypt its contents. The decrypted output file contained magnetic strip data pulled from credit cards that were used for payments at the infected fuel controllers.

Identifying the Root Cause – Spearphishing

After identifying the malware in question, the Kroll analysts were able to track the source of the attack back to the initial infection vector.

Case Study| Spearphishing Compromises Fuel Chain Credit Card Transactions, Ends in Ransomware

A spearphishing attack was the initial entry point into the gas station’s network. The email targeted the military recruiter within the gas stations’ HR departments and pretended to be looking for a position for a veteran.  When the HR employee clicked on the email, a backdoor was opened on their system.

Once the attackers had access to the HR employee’s computer, they moved laterally through the gas station network to a system in the on-site coffee shop. From there, it was possible to access other stores’ coffee shop computers and drop the encoded PowerShell malware on fuel controllers across the region.

Ending with a Ransomware Bang

Based upon analysis of the malware and infection chain, remediation began in mid-May 2020.  However, the attackers retained some access to the infected systems and detected the ongoing remediation efforts by May 31.

Realizing that they had been detected and that their malware was being removed from infected systems, the cybercriminals abandoned their attempt to continue stealing card data from gas station customers. In a last-ditch effort to continue monetizing their access, the attackers deployed ransomware on the devices they still had access to.

This decision to pivot from carding to ransomware demonstrates the evolution of the cyber threat landscape. Only a few years ago, attacks were largely siloed with a group performing a BEC attack or a credit card breach or intellectual property theft. Today, when one attack is detected and remediated, cybercriminals adapt and attempt to maximize the impact and value of their access.

Following the investigation, the client elected to keep Kroll’s endpoint protection technology installed on their systems. This ensures that their endpoints are monitored 24x7 for suspicious behaviors and can help to prevent similar attacks from occurring in the future.

This case study was extracted from the webinar COVID-19 and the Surge in Retail Threats, which also includes an overview of the PCI environment along with two additional case studies.

Other Areas We Can Help

Cyber Risk

Cyber Risk

Global, end-to-end cyber risk solutions.

Cyber Risk
Incident Response and Litigation Support

Payment Card Industry Services

Services including audits, incident management, and proactive solutions to strengthen cyber defenses.

Payment Card Industry Services
Canadian Data Breach | Cyber Risk | Kroll

Cyber Risk Assessments

Delivering actionable recommendations using the best technology and expertise available.

Cyber Risk Assessments
Incident Response and Litigation Support

PHI and PII Identification

Providing specific guidance to clients and their legal counsel in case of PII/PHI data breaches.

PHI and PII Identification
System Assessments and Testing

Cyber Vulnerability Assessment

Services using cutting-edge tools to help clients map a prioritized path to increased cyber security.

Cyber Vulnerability Assessment

Insights

Compliance

AMF and CSSF Regulatory Update – Third Quarter 2021

Compliance
Cyber

KAPE Quarterly Update – Q3 2021

Cyber
Cyber

Tracking Exchange Online Powershell Access Into Microsoft 365 Environments

Cyber
Cyber

Key Takeaways From the NIST Ransomware Risk Management Profile

Cyber