Threatwatch

Thieves suck $400,000 out of Southwest gas pumps

Credential-stealing malware; Payment device infection; Stolen credentials; User accounts compromised

Their hacking tools included a card skimmer and a fake PIN pad overlay designed to capture PINs from customers who paid at the pump with a debit card.

The two men indicted in July for ripping off gas pumps did so by renting a vehicle, checking into a local hotel and placing the devices on gas pumps at Murphy’s filling stations located in the parking lots of Arkansas and Oklahoma Wal-Mart retail stores.

They left the skimmer tools on for between one and two months, then collected the tools and used the stolen data to create counterfeit cards, visiting multiple ATMs throughout the region and withdrawing large amounts of cash.

Some of the card data pilfered in the scheme showed up in fraudulent transactions in Eastern Europe and Russia.

“Don’t get sucker pumped,” writes Brian Krebs. “As the Oklahoma case shows, gas pump skimmers have moved from analog, clunky things to the level of workmanship and attention to detail that is normally only seen in ATM skimmers.”

Pump scammers are turning to bluetooth-enabled devices that connect directly to the pump’s power source. “These skimmers can run indefinitely, and allow thieves to retrieve stolen card data wirelessly while waiting in their car at the pump.”

sector

Energy; Financial Services

reported

July 29, 2013

reported by

Krebs on Security

number affected

Unknown

location of breach

Oklahoma, Arkansas, United States

perpetrators

Criminals

location of perpetrators

Oklahoma, Arkansas, United States

date breach occurred

April 2012 to January 2013

date breach detected

Unknown