Visa Warns Hospitality Merchants of Nasty POS Malware Infection

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

Visa, the multinational payments processor and financial services provider, has discovered two widespread POS (point of sale) malware infections in North America, which affected two North American hospitality merchants. More specifically, the ‘Visa Payment Fraud Disruption’ team has analyzed malware samples from two independent infections. The first one involved the variant known as “TinyPos,” while the second used a mix of malicious strains like “RtPOS,” “Mmon,” and “PwnPOS.” The infections were just published via a relevant report, but they took place in May and June 2020.

Unfortunately, Visa hasn’t named the companies affected by this, so customers rely on the breached organizations’ responsibility to inform them. The actors behind these attacks haven’t been identified either, but their methods were recorded in detail. Visa describes a diligent procedure starting with a phishing campaign that targeted the employees of the target merchants. From there, the hackers compromised the stolen accounts and accessed the cardholder data environment (CDE) to deploy the malware.

The POS malware then scraped payment card data and kept the logs locally stored. The hackers manually exfiltrated these logs at a later time, avoiding any risks to raise security flags due to auto-exfiltration functions. Visa has an obscure picture of the actual details of these steps and the deployment of remote access tools and credential dumpers. They know this happened, but the specifics remain elusive.

POS malware is a very dangerous type of infection because the customers have no way to evaluate the potential risk and protect themselves. They just have to trust that the POS is clean and that no scrappers are running under the hood. As we have repeatedly discovered in the recent past, this is not always the case, and the possibility of having your payment data (cardholder name, credit card number, expiration date, and the CVV) compromised is always real.

Cashless payments are a standard and even preferable way to carry out financial transactions today. Still, if you have the option to use an electronic method, you should go for it instead.

As for merchants, Visa suggests the following security measures to be taken:



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: