Visa Inc. is warning that gas stations and gas pumps in the U.S. are being targeted by point-of-sale malware designed to steal credit card credentials.

The targeting of gas stations was first detected in the summer when the Visa Payment Fraud Disruption team identified several attacks likely carried out by sophisticated cybercrime groups. The attacks specifically targeted POS systems belonging to what Visa describes as fuel dispenser merchants.

In the first incident, those behind the attack compromised a merchant via a phishing email sent to an employee that contained a malicious link. The link was then clicked on, resulting in the installation of a Remote Access Trojan virus that gave access to the targeted network. Having obtained access, the threat actors subsequently gained access to the company’s POS network where they deployed a scraper to harvest payment card data.

The second incident was similar. Although the company was unable to identify how the threat actors gained access to the fuel dispenser, the outcome was the same: Scraper software was installed to steal card data. These cases were not the first, either: Visa issued a similar warning relating to two other cases in an alert published in November.

Visa noted that what differentiates these attacks from the simple installation of skimming devices at fuel pumps is that they all involve threat actors accessing the merchant’s internal network to gain access. In all cases, the malware can only steal card data from payments made using magnetic stripe cards. “Fuel dispenser merchants should take note of this activity and deploy devices that support chip wherever possible as this will significantly lower the likelihood of these attacks,” the Visa Security Alert reads.

Craig Young, computer security researcher for cybersecurity firm Tripwire Inc.’s vulnerability and exposure research team, told SiliconANGLE that despite more secure systems such as EMV contact cards and tokenized mobile tap-to-pay systems having been available for several years, most U.S.-issued credit cards still come equipped with a magnetic stripe that can be skimmed.

“The U.S. payment card infrastructure has completely failed to maintain pace with the rest of the world,” Young added. “While the rest of the world has been on chip and pin for quite a while, our relatively recent adoption of EMV contact cards is using the inherently less secure chip and sign model and an unfortunate number of businesses still rely on the legacy magnetic stripe.”

The era of magnetic swipe cards may be coming to an end, however. According to ZDNet, fuel dispenser merchants have until October 2020 to deploy chip-and-PIN compatible card readers at gas pumps if they wish to avoid liability for fraudulent transactions. After that date, Visa said, liability for any card fraud would then be on the merchant themselves, motivating operators to update their POS systems.

Photo: Tysto/Wikimedia Commons