Cybercriminals must be feeling the need for speed by brewing up a new point-of-sale (POS) malware family called FastPOS that is much faster at snatching and disseminating stolen credit card information.
FastPOS was discovered by Trend Micro researchers, who have also given it the fancier moniker TSPY_FASTPOS.SMZTDA, differs from other POS malware by immediately transferring the stolen credit card data back to the command and control server. Traditionally, the payment card info is stored locally and then forwarded only periodically. This is done to help prevent detection.
Trend Micro also believes FastPOS has been designed for use against smaller, simpler retail networks and not large retail chains. So far the malware has victimized people across the globe hitting the United States, Brazil, Japan, France and Taiwan.
“This could be cases where the primary network gateway is a simple DSL modem with ports forwarded to the POS system. In such a situation, the target would rely almost exclusively on endpoint detection and less so on network-level detection,” the researchers said.
Injecting the malware onto the POS system appears to be done by brute force attacks to obtain login credentials, social engineering scams to trick the users into installing the malware or through a real-time file sharing service.
The key logger and RAM scraper that is used with FastPOS also have a few new twists. Trend Micro said the key logger is similar the one found in NewPOSThings malware, but instead of storing the information on the infected system it uses the device's memory and when the customer/victim presses the enter button the data is sent along the criminal.
The RAM scraper not only grabs all the card info, but includes a series of checks to make sure only valid credit card numbers are swiped. Another somewhat rare feature for this scraper is it verifies the card's service code. This lets the criminal know where the card can be used and it also helps weed out cards that require PINS.
Trend researchers also found out that the actors behind the malware are also advertising and selling the stolen payment card credentials.
“What is unusual is that we found that this site's IP address was used by FastPOS itself as a C&C server! In short, the persons behind FastPOS are selling stolen credentials via the same server they use to receive these credentials,” the report said.