Analysts believe that recent point-of-sale (POS) malware attacks targeting more than 100 terminals in Brazil were the handiwork of a single person – who managed to steal more than 22,000 unique credit cards numbers in a little over a month.
The malware dispatched, “FighterPOS,” was also standout because, in addition to collecting credit card track 1, track 2 and CVV codes and featuring RAM scraping functionality, it allowed threat actors to launch distributed denial-of-service (DDoS) attacks against targets.
According to Trend Micro, which detailed the operation in a Monday blog post, FighterPOS appeared to be a modified version of older malware called, vnLoader, with features malware auto-update functions, file download and execution, and transfers credit card and keylogged data from infected hosts to criminals. Researchers also believed that FighterPOS was constructed from older malware since samples of the threat were written in Visual Basic 6, programming language “considered outdated and antiquated,” though still functional with fully patched systems, the blog post explained.
Between late February and early April, 113 terminals running Linx MicroVix or Linx POS systems were infected with FighterPOS. More than 95 percent of the malware attacks were in Brazil, but a very small number were detected in the U.S., UK, Mexico and Italy.According to Jon Clay, senior manager of global threat communications at Trend Micro, who spoke to SCMagazine.com in a Monday interview, other attackers will certainly want to take advantage of the new POS malware &ndash and my now have the opportunity to do so.
Clay pointed out that the sole perpetrator of the attacks in Brazil was actively selling the FighterPOS control panel and malware code for 18 bitcoins, worth around $5,250 – not an outlandish sum considering the potential payout for fraudsters. Furthermore, its suite of malicious capabilities may make it more appealing to buyers.
“He did add a DDoS capability, possibly to make it more saleable, or he was using it to obfuscate his own [activities],” Clay said of the FighterPOS perpetrator, who may be leveraging the DDoS feature as a diversion while quietly capturing card information.
“This was very targeted to Brazil, but it was a wake-up call for organizations with retail accounts in [international] regions,” he added later.
According to Clay, the attacks outside of Brazil were likely “collateral damage,” meaning malware that had spread to other branches of retail organizations, either through an infected thumb drive or other means. Trend Micro included indicators of compromise (IOCs) in its blog post for the threat, which it detects as “TSPY_POSFIGHT.SM.”