In December 19, 2019, Wawa, a company from East Coast of the US, announced about data breach on their retail giant shop. The company believed that the breach was a result of being infected with point of sale POS malware. This is the same malware that led Visa to warn fuel stations throughout North America and the pumps and devices attached being the target of Cybercriminal organizations.
POS malware is especially designed to steal credit and debit card details from point of sale devices to process card payments. It encrypts the data of the card on payment devices before sending for the approval to bank network. The encryption occurs inside the RAM of the device which allows the malware to scrap the hardware and steal the card details. The command and control server of hackers’ control then connect to the device and receive the information.
Returning to the Wawa incident, that malware was installed on the Network on March 4 was discovered on 10 of December and within 2 days after this it was removed subsequently. In the press release the company stated,
“Based on our investigation to date, we understand that at different points in time after March 4, 2019, [the] malware began running on in-store payment processing systems at potentially all Wawa locations…Although the dates may vary and some Wawa locations may not have been affected at all, this malware was present on most store systems by approximately April 22, 2019”
Also, the company claimed, the malware did not collect debit card PIN numbers, credit card CVV2 numbers and driver’s license information that is used to verify age-restricted purchases. The malware was configured only to collect payment data that passed through its in-store point of sale systems like credit and debit card numbers, expiration dates and cardholder names,
Card details published online
On 27 of January by this year, the unknown hackers put over 30 million card individuals’ card details on Joker’s Stash, a card fraud forum. By BiGBADABOON-!!! Name, the card details have been advertised and are selling @17 USD per card.
Gemini Advisory published an article on this card dump subsequently, noted that:
“The Wawa breach aligns with Joker’s Stash’s tactic of adding records stolen from large merchants in publicly disclosed major breaches only after the breach is announced. Based on Gemini’s analysis, the initial set of bases linked to “BIGBADABOOM-III” consisted of nearly 100,000 records. While the majority of those records were from US banks and were linked to US-based cardholders, some records also linked to cardholders from Latin America, Europe, and several Asian countries. Non-US-based cardholders likely fell victim to this breach when traveling to the United States and transacting with Wawa gas stations during the period of exposure.”
“Notably, major breaches of this type often have low demand on the dark web. This may be due to the breached merchant’s public statement or to security researchers’ quick identification of the point of compromise. However, JokerStash uses the media coverage of major breaches such as these to bolster the credibility of their shop and their position as the most notorious vendor of compromised payment cards.”
A day after that, Wawa released a press statement to advise customers to remain vigilant and inform the financial institutions of any fraudulent or suspicious transactions and also to remind them it will provide free credit monitoring and anti-identity theft protection to the customers who believe that they may have been affected by the breach.