Featured Posts

New FastPOS Malware Breaches POS System and Instantly Delivers Theft Data

24th June 2016 | By Administrator

Here comes a new POS Malware, named the FastPOS Malware, which, as the name suggests strikes real fast. This POS Malware is fast in the sense that it snatches the credit card information fast and sends it instantly to the hackers.

This new Point of Sale malware has been discovered by Trend Micro researchers. A recent post made in the Trend Micro blog, which gives details of the malware, says- “A newly discovered malware family hitting point-of-sale (PoS) systems has been found which emphasizes speed in how the information is stolen and sent back to attackers. We called this attack FastPOS, due to the speed and efficiency of its credit card theft capabilities. FastPOS is designed to immediately exfiltrate any stolen card data, instead of storing it locally in a file and periodically sending it to the attackers. This suggests that it may have been designed to target situations with a much smaller network environment. An example would be where the primary network gateway is a simple DSL modem with ports forwarded to the POS system.”

How Fast POS Malware arrives

Fast POS Malware makes its entry into a Point of Sale payment terminal and reaches its would-be targets via three methods, as per the Trend Micro blog post. The POS Attack by FastPOS Malware happens when-

  • It links to a compromised medical site talking about laser surgical techniques
  • It arrives via a real-time file sharing service
  • It enters through direct file transfer via VNC

The Trend Micro blog further adds- “The first two methods imply some sort of social engineering necessary to get users to run the malware; the last implies either a compromise of company credentials of some sort or brute-forcing of the necessary user names and password.”

Fastpos Malware

How it steals data

The FastPOS Malware, which comprises of two main modules – a keylogger and a memory scraper – sends password and username data almost at the same instant that a customer presses enter on their keyboard at the payment terminal. The keylogger facilitates transmitting to the attacker information like user credentials, personally identifiable information (PII) of customers and staff, and payment information while the RAM scraper is designed to steal only credit card information. The keylogger is similar to the one found in NewPOSThings POS malware, but it is to be noted that the
logged keystrokes are not stored in a file on the affected system; instead they are stored in memory. The data is sent to the attacker when the enter button is pressed.

How it exfiltrates data

As regards how FastPOS Malware exfiltrates data, the Trend Micro blog says- “…FastPOS does not store any information or status logs locally. Instead, any stolen information is immediately uploaded to a C&C server, the location of which is hardcoded inside the malware. This goes both for logged keystrokes as well as any information from the RAM scraper.”

Targets- Where and Who

The FastPOS Malware has targetted companies and users in different parts of the world. While in the Americas it has targetted victims in the US and Brazil, in the Asian continent it has targetted victims in Japan, Taiwan, and Hong Kong. France has been the target in Europe.

As regards the industries targetted, the Trend Micro blog says- “The industries of these varied as well. One victim in the United States was a veterinary clinic; targets elsewhere included companies in the food and logistics sectors. In some of these cases, the victim locations were remote offices that contained open VNC access.”

The solution

Well, the solution that’s suggested includes things like whitelisting and proper endpoint security, focussing on endpoint application control.

POS malware




Best ITSM Solutions

Be Sociable, Share!
Be Sociable, Share!

Add new comment

Your name

You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Sign Up For a Free Demo

How many end users will use this secure application? (optional)