Reaction score
The attacks used malware such as RtPOS, MMon, PwnPOS and TinyPOS.

Experts from the American company Visa reported that at the beginning of this year, the systems of two North American companies in the hospitality industry were hacked. During the attacks, criminals infected systems with malware for PoS terminals.

PoS malware infects Windows computers, searches for PoS applications, and then scans the device's memory for payment card data that is processed by PoS payment applications.

Visa did not disclose the names of the companies that were victims of the cyberattacks due to non-disclosure agreements related to the investigation of the incidents.

Based on the results of the investigation into the June attack, Visa discovered three different types of PoS malware on the victim's network - RtPOS, MMon (also known as Kaptoxa) and PwnPOS. The attackers compromised the hospitality company's network and "used remote access tools and credential reset utilities to gain initial access, roam the network, and deploy PoS malware."

Experts were unable to determine how the attackers penetrated the company’s network. However, they were able to determine the entry point in the first attack, which occurred in May.

“Initial access to the trading network was obtained through a phishing campaign targeting employees of the organization. User accounts, including an administrator account, were compromised as part of a phishing attack and used by attackers to log into the company's environment. Participants then used legitimate administrative tools to access the cardholder data environment (CDE) on the company network,” the experts explained.

Once they had access to the CDE, the criminals deployed memory scrapers to collect payment account data and then used a batch script to mass deploy the malware across the organization's network. The PoS malware used in this attack has been identified as a version of TinyPOS.