Connect with us

Hi, what are you looking for?


Malware & Threats

Card Data, Keystrokes Quickly Exfiltrated by FastPOS Malware

Trend Micro researchers have come across a new point-of-sale (PoS) malware family that has been described as quick and efficient when it comes to exfiltrating harvested data.

Trend Micro researchers have come across a new point-of-sale (PoS) malware family that has been described as quick and efficient when it comes to exfiltrating harvested data.

The malware, dubbed FastPOS, has been observed infecting both SMBs and enterprises in countries like the United States, France, Brazil, Hong Kong, Japan and Taiwan. The threat is usually installed via compromised websites, a file sharing service, or via VNC access using stolen credentials or brute-force attacks.

FastPOS is designed to collect payment card data by scraping the infected device’s memory and log keystrokes. Unlike other PoS malware families, FastPOS sends the harvested data immediately back to its command and control (C&C) server instead of storing it locally and uploading it at certain intervals.

In the case of the keylogging feature, FastPOS is similar to NewPosThings since they both hold the collected data in memory instead of writing it to the disk. FastPOS logs each keystroke and sends the information back to the attacker when the victim hits the enter key.

The keylogging feature allows cybercriminals to collect information such as passwords, personal details and financial data. In order to give attackers some clue as to what type of information has been harvested, the malware also logs the title of the window where the data has been entered.

The RAM scraping feature uses a custom algorithm to ensure that the data it has found is valid. One interesting aspect is that FastPOS also checks the stolen payment card’s service code and only exfiltrates the data if the code is 201 or 101. These codes indicate that the card can be used internationally and it does not require a PIN.

The harvested keystrokes and payment card data are immediately sent back to a C&C server whose location is hardcoded in the malware. The exfiltration method is unusual because it leverages an HTTP GET request instead of a POST request, which is typically used to send data.

“One possibility is that the use of a GET command is designed to cause fewer suspicions – after all, this is the same command used when any browser retrieves a website,” Trend Micro wrote in a report detailing FastPOS.

Advertisement. Scroll to continue reading.

Researchers also noted that the stolen data is sent back to the server over HTTP. Since the data is not encrypted, in theory, others could easily intercept it.

Experts believe FastPOS’s quick exfiltration technique is highly efficient in the case of smaller organizations that rely on a DLS router as their network gateway, and which protect their terminals only with endpoint security software.

Another interesting observation made by Trend Micro is that the C&C server where FastPOS uploads stolen data also hosts a cybercrime forum that specializes in selling payment card records. At the time of analysis, there had been 3,354 payment cards available on the website, with prices ranging between $10 and $40 .

Related: Hackers Use Custom PoS Malware to Target Retailers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Cisco is warning of a zero-day vulnerability in Cisco ASA and FTD that can be exploited remotely, without authentication, in brute force attacks.