In recent years, point-of-sales malware and attacks have taken the world by storm. These instances not only impact the operators of brick-and-mortar stores with physical payment terminals, but the proprietors of online e-commerce firms as well.
What's more, even a single POS attack can spell disaster for a brand. Not only does this instance put the business at risk, but it can breed distrust with customers whose sensitive information was compromised during the attack.
Security expert and Carbon Black contributor Christopher Strand noted that POS attacks will continue to make headlines this year and into the near future for a range of reasons. Not only are these incredibly lucrative for hackers who make off with a wealth of personal consumer details that can be sold on the black market or used for fraud, but in many cases, retailers present attackers with low hanging fruit, ripe for the taking.
"[O]rganizations continue to struggle with their security hygiene, so issues such as lax security configurations and weak passwords will leave many vulnerable to attack," Strand wrote. "As a result, cyber criminals will continue to successfully breach POS environments using variants of the same malware that we've seen with past breaches."
However, lax data protection isn't the only issue here. In addition to leveraging malware samples that have proven successful for breaches in the past, malware creators are also establishing new malware families to further these attacks.
Trend Micro reported in early June that a new POS-targeting malware family had been discovered, and that these samples are incredibly efficient at stealing critical, personal data. It's appropriately called FastPOS, and it's an infection that has been impacting retailers around the world.
FastPOS: How it works
One of the things that makes this malware so dangerous is that it is able to leverage multiple different methods to attack and breach a POS system, including direct VMC file transfers, real-time file sharing, or malicious links to a legitimate-appearing, infected medical site. In this way, even if users don't click a dangerous link included in an email, attackers can try their hand at sending an infected file to ensure that the targeted victim can be attacked.
"The first two methods imply some sort of social engineering necessary to get users to run the malware; the last implies either a compromise of company credentials of some sort or brute-forcing of the necessary user names and password," Trend Micro noted of VMC file transfer attacks.
Once present within the victim's POS, the malware can move on to the processes that helped it earn its name. Whereas other infections of this type locally store stolen data before uploading it and specific intervals to attackers, FastPOS instead sends these details immediately. The malware utilizes a keylogger and RAM scraper to collect as much information as possible – including customer payment details, and other data stored within the magnetic strips of credit and debit cards – as well as a range of other details, depending on the company's internal processes. For instance, the keylogger is equipped to capture personally identifiable information of both shoppers and brand employees, as well as user credentials and payment data.
The moment these details are gathered, the malware uploads it to a hacker-owned command-and-control server, enabling the attacker to take ownership of it and utilize or sell the information as he or she sees fit.
The final dangerous piece of the puzzle here is the fact that FastPOS doesn't use encryption at any point during the uploading process.
"[T]he non-usage of HTTPS here means that the victim's data is sent 'in the clear,' without any encryption whatsoever," Trend Micro explained. This means they could easily be stolen by other threat actors capable of intercepting network traffic, making the user a victim twice over."
This is something that isn't typically seen with any time of malware infection, let alone attacks that target POS systems, making FastPOS a particularly unique threat. Oftentimes, hackers will leverage encryption to protect the information they've just stolen – after attackers have gone through the work and trouble of breaching a business, it's important that they have something (stolen data ready to be sold or leveraged for other fraudulent purposes) to show for their efforts.
Who are the victims?
Interestingly, Trend Micro discovered that while FastPOS has been discovered in a number of different countries, it typically affects SMB-level businesses as opposed to enterprises.
"FastPOS has been designed for use against smaller, simpler retail networks and not large retail chains," SC Magazine editor Doug Olenick wrote. "So far the malware has victimized people across the globe, hitting the United States, Brazil, Japan, France and Taiwan."
This makes protections like employee education and awareness alongside multi-layered security a must for companies of all sizes. What's more, since Trend Micro noted that FastPOS is also incredibly skilled at covering its own tracks, high-level network visibility and activity monitoring are critical.
The perpetrators: Malicious actors behind the attacks
While security experts have yet to uncover the identities of the individuals who created and now use FastPOS, clues have appeared in the wild. Trend Micro researchers discovered the same mutex in malware code posted in a forum last year, as well as the same code that enables FastPOS to send keystrokes in other posts originating from the same user.
However, the most telling clue appears in an online advertisement for the purchase of stolen credit cards.
"What is unusual is that we found that this site's IP address was used by FastPOS itself as a C&C server!" Trend Micro noted. "In short, the persons behind FastPOS are selling stolen credentials via the same server they use to receive these credentials."
Protecting against FastPOS
One of the most critical steps retailers can take to protect their business and systems from FastPOS and other point-of-sales infections is to educate users throughout the company. FastPOS and similar infections often leverage social engineering and other tactics to personally target specific users. This can increase the chance of a successful breach if employees aren't taught about suspicious behavior and what to look for.
In addition, protections like endpoint application control and whitelisting capabilities can further reduce this threat by introducing security features and controls that help ensure that only authorized users can access critical systems like POS.
Retailers of all sizes must take steps to ensure that sensitive financial information remains protected.