Cyber Incident Victim: Verifone
Date:
Jun 2016
Location:
United States of America
Summary
A cybersecurity breach at Verifone compromised its corporate network for several months, with attackers targeting a customer support unit handling payment solutions for gas stations. The intrusion, attributed to a Russian hacking group using phishing emails with malicious macros, sought access to point-of-sale systems but did not affect the payment services network. The company responded by mandating password resets, restricting software installations, and initiating forensic investigations. The attackers exploited vulnerabilities in fuel station terminals, which had delayed security upgrades for chip-based card readers, making them susceptible to fraud. This incident shared similarities with previous attacks on payment providers, including the Oracle MICROS breach, highlighting persistent threats to payment infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In January 2017, Verifone detected evidence of a cyber intrusion into its corporate network, prompting an internal investigation. The company issued an urgent directive on January 23, 2017, requiring all employees and contractors to reset passwords within 24 hours and restricting software installation privileges on company devices. Sources indicated Visa and Mastercard had notified Verifone of the breach days earlier, with forensic evidence suggesting attackers had infiltrated the network since mid-2016. The intrusion primarily affected a customer support unit in Clearwater, Florida, which managed payment systems for U.S. gas stations, including pay-at-the-pump terminals, in-store registers, loyalty programs, and remote technical support. Verifone engaged U.K.-based forensics firm Foregenix to investigate but maintained that the breach did not compromise its payment services network. Post-investigation updates narrowed the impact to controllers at approximately two dozen gas stations over a limited timeframe, though the company acknowledged the potential for misuse of information was contained through immediate response measures.
The attackers, identified as a Russian cybercrime group with ties to the 2016 Oracle MICROS breach, employed phishing tactics involving malicious Microsoft Office documents containing macros. These documents mimicked legitimate business inquiries, often targeting hospitality and payment sectors. The group’s infrastructure and tools overlapped with those used in the MICROS attack, where compromised support portals enabled credential theft. At Verifone, the breach exposed vulnerabilities in corporate network segmentation and endpoint policies, particularly the pre-incident practice allowing unrestricted software installation by employees. Analysts noted the attackers likely sought point-of-sale system access, including software designs, source code, or signing keys, which could facilitate backdoors for card data theft. The prolonged six-month undetected presence highlighted security challenges, compounded by the gas station industry’s delayed adoption of chip-card technology, extending fraud risks at vulnerable terminals until 2020 under revised card association deadlines.