Skip to content
Naked Security Naked Security

Gas pump malware tricks customers into paying for more than they pump

Malware-infected gas pumps display the false data, and customers end up with up to 7% less gas than they paid for

Russian authorities have uncovered a massive fraud ring that installed malicious software at gas pumps making customers think they were getting more fuel than they were. In fact they were pumping up to 7% less than they were being charged for, according to Russian news source Rosbalt.
On Saturday, Russian Federal Security Service (FSB) arrested the alleged mastermind, Denis Zaev (alternatively identified as Denis Zayev by various outlets) in Stavropol, Russia on charges that he created several software programs designed to swindle gas customers.
An unidentified source in law enforcement told Rosbalt that this is one of the largest such frauds detected by the FSB. The malware was discovered at dozens of gas stations, where customers were getting ripped off without noticing a thing:

A giant scam covered almost the entire south of Russia, [where the malware was] found in dozens of gas stations in the Stavropol Territory, Adygea, Krasnodar Territory, Kalmykia, a number of republics of the North Caucasus, etc. A whole network was built to steal fuel from ordinary citizens.

The source said that Zaev is believed to have developed and created several of these programs. It was a unique product, the source said: the malware couldn’t be detected, be it by oil company control services that continually inspect filling stations or by employees of the Ministry of Internal Affairs.

At any rate, after creating his “perfect” malware, the FSB reportedly said that Zayev/Zaev began to offer it to employees of gas stations. Sometimes, he played the part of software salesman. Sometimes, he would also dip into the stolen funds to take his own share.
His alleged profits were worth hundreds of millions of rubles. 1m ruble is worth about USD $17,700.
The malware caused the gas pumps, cash registers and back-end systems to display false data. It was also able to cover its tracks.
It worked like so: every morning, employees would come up with a pretext to leave one of a station’s reservoirs empty – for example, under the pretense of cleaning. When a customer bought gas, the program automatically shortchanged the customer of between 3% and 7% of the gas purchased. But the gas pump itself would show that the entire volume of purchased gas had been pumped into the tank. The stolen gasoline was automatically sent to the tank that the attendants had left empty that morning.
This isn’t the first time we’ve seen crooks targeting gas stations.
A few years back, we saw a spate of Bluetooth-enabled, banking-data-gobbling skimmers installed at gas stations in the Southern US.
Eventually, 13 alleged thieves were charged with forging bank cards using details pinged via Bluetooth to nearby crooks from devices that were impossible for gas-buying customers to detect, given that the skimmers were installed internally.
We’ve also seen more analog skimmers attached to ATMs, such as the crudely glued-on card catchers that leave thieves hanging around the machine, pretending to look innocent, as they wait to snatch the cards after victims give up on ever getting them back.
True, the Bluetooth skimmer was installed internally, making it tougher to spot than the glued-on kludge of a card catcher. It still presented a problem for the thieves, though: using Bluetooth meant the skimmer still relied on the thieves hanging around nearby, given the limited range of this wireless technology. It also meant that anybody else using Bluetooth in the vicinity could get an eyeful of “Oooo, payment card details up for grabs!”
Last year, New York City police also started to see a new sort of skimmer on gas pumps that cuts the Bluetooth tie, instead relying on wireless GSM text messages to get card details to the crooks anywhere in the world.


Should I presume you are talking about Petrol pumps?
Yet another instance of items being connected to the internet when they don’t need to be, opening up the risks of malware, etc. Same problem as with IoT devices that are largely insecure and open to hacking.


Any information as to how he got busted?


Most likely a customer with a 10 litre jerry-can got suspicious when he got charged for 10.5 litres of fuel. If he then measured the fuel when he got home and got a discrepancy, it probably would have been enough to convince someone to investigate.
The other possibility is that the local police force heard a rumour from the local bad guys.


Google translation from the Russian article: “His malicious programs could not be detected either by the specialists of the control service of oil companies, who constantly conduct inspections at the filling stations, or the employees of the Ministry of Internal Affairs.” … “But even if someone from the police carried out a control purchase and caught the employees of the gas stations on the scam, the cost of stolen 2-3 liters of gasoline from one machine would not pull the criminal case.” The Russian oil companies and Ministry of Internal Affairs sound like they need a better inspection process, perhaps one that dispenses fuel into a separate container for measurement.


Is it really malware if it’s installed with the collusion of the business? Or even with the collusion of employees of the business, unknown to the management?


Sure it is. Malware is short for “malicious software”, which fits the bill here in moral, legal and technical terms, wouldn’t you say?


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!