Gas Stations Hackers Scam Uncovered in Russia

    Authorities in Russia have broken up a widespread scheme involving dozens of gas-station employees who used software programs on electronic gas pumps to con customers into paying for more fuel than they actually pumped into their tank. The scam shorted customers between 3-to-7 percent per gallon of gas pumped, Russia Beyond reported.

    On Saturday, Russian Federal Security Service (FSB) arrested hacker Denis Zayev in Stavropol, Russia on charges he created several software programs designed to swindler gas customers, according to multiple Russian media reports.

    The software was found only on gas stations located predominantly throughout the south of Russia. The FSB did not return an email request for comment on this story.

    Zayev is accused of developing the software programs and selling them to rogue gas-station employees. Under the arraignment, both gas-station employees and Zayev received a cut of the money customers overpaid for gas. According to the FSB, the crime earned Zayev and gas station employees “hundreds of millions of rubles.”

    A translated report from news source Rosbalt said the malicious software was nearly impossible to detect by local inspectors and oil companies that monitor gasoline inventory remotely.

    According to the report, not only did pumps display false data, but also cash registers and back-end systems.  Next, Zayev’s software was able to cloak sales data tied to the sale of a station’s illicit surplus gasoline.

    It’s unclear what tipped Russian authorities off to the scam.

    Hackers targeting gas stations isn’t new. In 2014,  New York state authorities charged 13 men for using Bluetooth-enabled skimmers to steal more than $2 million from customers at gas stations across the Southern United States between 2012 and 2013.

    A 2015 Black Hat presentation (PDF) by researchers Kyle Wilhoit and Stephen Hilt, also highlighted dangers of a growing number of internet-exposed gas pump monitoring systems in the U.S. They warned exposed SCADA systems could allow malicious actors to carry out DDoS attacks against pumps, register incorrect fill data and damage engines by manipulating pumps to serve diesel fuel instead of unleaded.