Wawa Stores: POS Malware Attack Undetected for 8 MonthsConvenience Store Chain Says Payment Card Data Exposed
The Wawa convenience store chain is investigating why malware planted on point-of-sale devices at nearly all of its over 850 locations throughout the East Coast went undetected for nearly eight months.
The scale of the security incident at Wawa is not yet clear, but the company says that the unknown strain of malware appears have to have harvested payment card information, including credit and debit card numbers, expiration dates, and cardholder names used at potentially all in-store point-of-sale terminals and fuel dispensers.
It does not appears that debit card PINs or credit verification values (CVV) numbers were exposed. In-store ATMS were not affected.
"If you did not use a payment card at a Wawa in-store payment terminal or fuel dispenser during the relevant time frame, your information was not affected by this malware," according to the company's statement. "At this time, we are not aware of any unauthorized use of any payment card information as a result of this incident."
The company, along with law enforcement and an outside security forensic team, is investigating the incident. Wawa is offering prepaid credit monitoring services for customers who may have been affected by the breach.
Wawa is a regional chain with over 850 convenience stores with 600 fuel stations, located in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida and Washington, D.C, according to the company's website.
The malware apparently first appeared March 4 and then spread to most of the company's point-of-sale machines by April 22, the company says in its statement.
Wawa's security team first detected the point-of-sale malware on Dec. 10 and then blocked and contained it by Dec. 12, the company announced Thursday.
Writing on Twitter, Jake Williams, a cybersecurity consultant and the head of Augusta, Georgia-based Rendition InfoSec, noted that although the malware went undetected for a long time, the company's incident response team deserved credit for responding quickly once the issue was finally discovered.
The malware targeting payment card data was installed March 4th. It was detected December 10th and contained two days later, per Wawa.— Jake Williams (@MalwareJake) December 20, 2019
Nine months is a heck of a dwell time for PoS in 2019, but they have a very challenging monitoring environment. 1/3https://t.co/hA3Y21ulHc
Sam Rubin, vice president at Crypsis Group, a Virginia-based incident response and forensics group, tells Information Security Media Group that these types of point-of-sale attacks are increasingly difficult to combat.
"The skill and determination brought to bear in this type of attack is what makes them so hard to prevent," Rubin says. "The attackers were not only able to penetrate Wawa's networks, they were also able to move laterally across hundreds of stores to identify payment card systems, obtain access credentials, and exfiltrate data. They did all of this while staying undetected for many months."
Credit Card Skimming
The security incident at Wawa follows a warning Visa issued earlier this month that several sophisticated cybercriminal gangs have started to target "fuel dispenser merchants" by infiltrating their corporate networks and stealing customer data sent from fuel pumps (see: Visa: Gas Station Networks Targeted to Steal Card Data).
In two incidents, Visa analysts found attackers planted malware within merchants' corporate networks. The attackers moved laterally through the networks and targeted internet-connected point-of-sale machines at gas pumps to scrape unencrypted credit and debit card data, the alert notes.
In another development, a number of restaurants have reported that malware has appeared on point-of-sale machines.
In November, for example, an unidentified strain of malware designed to harvest payment card data apparently infected point-of-sale devices at certain New York restaurants owned by the chain Catch (see: Restaurant Chain: Malware Infected PoS Devices).
Data for Sale
Stolen payment card data often is offered for sale on underground dark net sites.
Earlier this month, security firm Group-IB found that the Joker's Stash marketplace had recently listed a large trove of personally identifiable information for sale, including a massive quantity of stolen payment cards issued by Turkish banks (see: Joker's Stash Celebrates Turkey Day With Stolen Card Data).
In the case of Wawa, Alex Guirakhoo, a strategy and research analyst at security firm Digital Shadows, tells ISMG that even though the attackers did not get PINs or CVV numbers, the data that they did collect is worth a good deal on these darknet sites.
"On cybercriminal marketplaces and automated vending carts, the inclusion of PINs and CVV [numbers] can increase the value of financial information," Guirakhoo says. "However, card numbers, expiration dates, and cardholder names are still highly valued and widely traded by cybercriminals. These can be used to facilitate a range of fraudulent activities."