Security Experts:

Card Data, Keystrokes Quickly Exfiltrated by FastPOS Malware

Trend Micro researchers have come across a new point-of-sale (PoS) malware family that has been described as quick and efficient when it comes to exfiltrating harvested data.

The malware, dubbed FastPOS, has been observed infecting both SMBs and enterprises in countries like the United States, France, Brazil, Hong Kong, Japan and Taiwan. The threat is usually installed via compromised websites, a file sharing service, or via VNC access using stolen credentials or brute-force attacks.

FastPOS is designed to collect payment card data by scraping the infected device’s memory and log keystrokes. Unlike other PoS malware families, FastPOS sends the harvested data immediately back to its command and control (C&C) server instead of storing it locally and uploading it at certain intervals.

In the case of the keylogging feature, FastPOS is similar to NewPosThings since they both hold the collected data in memory instead of writing it to the disk. FastPOS logs each keystroke and sends the information back to the attacker when the victim hits the enter key.

The keylogging feature allows cybercriminals to collect information such as passwords, personal details and financial data. In order to give attackers some clue as to what type of information has been harvested, the malware also logs the title of the window where the data has been entered.

The RAM scraping feature uses a custom algorithm to ensure that the data it has found is valid. One interesting aspect is that FastPOS also checks the stolen payment card’s service code and only exfiltrates the data if the code is 201 or 101. These codes indicate that the card can be used internationally and it does not require a PIN.

The harvested keystrokes and payment card data are immediately sent back to a C&C server whose location is hardcoded in the malware. The exfiltration method is unusual because it leverages an HTTP GET request instead of a POST request, which is typically used to send data.

“One possibility is that the use of a GET command is designed to cause fewer suspicions – after all, this is the same command used when any browser retrieves a website,” Trend Micro wrote in a report detailing FastPOS.

Researchers also noted that the stolen data is sent back to the server over HTTP. Since the data is not encrypted, in theory, others could easily intercept it.

Experts believe FastPOS’s quick exfiltration technique is highly efficient in the case of smaller organizations that rely on a DLS router as their network gateway, and which protect their terminals only with endpoint security software.

Another interesting observation made by Trend Micro is that the C&C server where FastPOS uploads stolen data also hosts a cybercrime forum that specializes in selling payment card records. At the time of analysis, there had been 3,354 payment cards available on the website, with prices ranging between $10 and $40 .

Related: Hackers Use Custom PoS Malware to Target Retailers

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.