Inside Arizona’s Pump Skimmer Scourge

Crooks who deploy skimming devices made to steal payment card details from fuel station pumps don’t just target filling stations at random: They tend to focus on those that neglect to deploy various tools designed to minimize such scams, including security cameras, non-standard pump locks and tamper-proof security tape. But don’t take my word for it: Here’s a look at fuel station compromises in 2016 as documented by the state of Arizona, which has seen a dramatic spike in fuel skimming attacks over the past year.

KrebsOnSecurity examined nearly nine months worth of pump skimming incidents in Arizona, where officials say they’ve documented more skimming attacks in the month of August 2016 alone than in all of 2015 combined.

With each incident, the Arizona Department of Agriculture’s Weights and Measures Services Division files a report detailing whether victim fuel station owners had observed industry best practices leading up to the hacks. As we can see from the interactive story map KrebsOnSecurity created below, the vast majority of compromised filling stations failed to deploy security cameras, and/or tamper-evident seals on the pumps.

Fewer still had changed the factory-default locks on their pumps, meaning thieves armed with a handful of master keys were free to unlock the pumps and install skimming devices at will.

These security report cards for fuel station owners aren’t complete assessments by any means. Some contain scant details about the above-mentioned precautionary measures, while other reports painstakingly document such information — complete with multiple photos of the skimming devices. Regardless, the data available show a clear trend of fraudsters targeting owners and operators that flout basic security best practices.

Indeed, the data assembled here suggests that skimmer thieves favor off-brand filling stations and target pumps furthest from the station/closest to the street. Also, all but three of the 35 incidents included in this report targeted fuel dispensers made by one manufacturer: Gilbarco — probably because the skimmer thieves responsible were armed with a master key for Gilbarco pumps.

In only one documented skimming incident did the station owner report having used non-standard pump locks. In some cases, the same filling station was hit with separate skimming attacks just a few months apart.

A portion of the incident report for the Bluetooth skimmers found at a gas station in Phoenix on Sept. 6, 2016

Investigators also appear to be increasingly finding pump skimmers that employ Bluetooth wireless technology. Bluetooth-based skimmers allow thieves to collect stolen card data merely by pulling up to a pump and downloading it with a Bluetooth-enabled laptop or mobile device (as opposed to taking the risk of re-opening the pumps to retrieve the siphoned card data).

A review of the locations of the skimmed stations suggests that skimmer scammers prefer poorly secured stations that are quite close to a major highway, no doubt so that they get away from the station relatively quickly after the skimmers are planted. It’s unclear whether the skimming attacks documented here are the work of one or multiple scammers or gangs, but the activity pretty clearly shows a focus on stations directly off the main arteries from Phoenix on down to Tuscon.


In some of the images in the slideshow above, it may be difficult to readily tell among the jumble of wires which bit is the skimmer. When in doubt, look for an area wrapped in black or grey colored electrical tape, which seems to be found in nearly all of these pump skimming attacks.

Arizona is almost certainly a microcosm of pump skimming activity going on nationally. Last year, KrebsOnSecurity ran an in-depth piece profiling a U.S. Secret Service task force that’s been battling a surge in pump skimming scams perpetrated by organized crime gangs in and around Los Angeles. Other stories on pump skimmers can be found in this search link.

Consumers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the phony transactions. There is no substitute for keeping a close eye on your card statements. Also, use credit cards instead of debit cards at the pump; having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

I realize that the project above — made with the free StoryMap tool from Northwestern University’s Knight Lab — may be difficult to view comfortably within the confines of this blog. Here’s a direct link to the full map and timeline.

Tags: , , , , , , ,


Odin File Virus Ransomware Is Here!

Do you remember the .Zepto Ransomware? Of course, you do. Well, you can more or less put it in the rear-view mirror. However, there is very little in the way of actual reasons for celebration. A new threat is on the rise! It’s been tentatively called .Odin File Virus. It changes your files’ extensions to match the name of the one-eyed god from the Norse Mythology.The first reports regarding the .Odin File Virus started appearing on 26 September, and early signs point to the ransomware affecting mostly U.S. users. Unfortunately, there is very little doubt that the virus is going to spread like a wildfire in an old forest, if not already.Just like the .Zepto File Virus before it, this is the newest variant of the infamous and rather sinister Locky Ransomware. Again, the main distribution form is through contaminated spam e-mails. Be especially on the lookout for any WS and JS attachments.If you are one of the unlucky ones to execute such a script, then the process that follows is more or less the same and there is very little you can do to prevent it from happening from that point onwards.In such a scenario, a DLL installer is downloaded and executed using the perfectly legitimate Windows process called Rundll32.exe. Once inside your device, the .Odin Virus starts encrypting your most often used files. An interesting point of observation is that the whole file name of an encrypted file is changed and not just the .odin extension. A seemingly random string of numbers and letters appears instead of your regular files’ names, with the aforementioned .odin at the back.Another important novelty is that the ransom “demands” are now being stored in files titled “_HOWDO_text.html” and “_HOWDO_text.bmp” instead of the “_HELP_instructions.html” file that was a part of the .Zepto contamination. Apparently, you will be again asked for 0.5 Bitcoins unless you are a big business or a large organization. In that case, the demanded ransom is substantially larger.I feel it is important that you refrain from paying any ransom as this would only encourage the ransomware creators into making more and more variations of these extremely malicious programs. Instead look for alternatives to bring back your files. And don’t forget – prevention is key in the fight against computer viruses.  Be always alert when opening new e-mails and make sure to check our security tips regularly! 

daniel sadakov

About the Author: Daniel Sadakov has a degree in Information Technology and specializes in web and mobile cyber security. He harbors a strong detestation for anything and everything malicious and has committed his resources and time to battling all manners of web and mobile threats. He has founded MobileSecurityZone.com, a website dedicated to covering the top tech stories and providing useful tips for the everyday user, in an effort to reach and help more people.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.