• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Malware   »   PoS Malware: Old Dog Learns New Tricks

PoS Malware: Old Dog Learns New Tricks

  • Posted on:September 26, 2016
  • Posted in:Malware, Ransomware, Security
  • Posted by:Rik Ferguson (VP, Security Research)
0
POS malware is still a huge problem.

With all the focus on ransomware so far in 2016, you could be forgiven for thinking that not much else is happening in the world of online crime. Don’t be too hasty though, while there is a massive uptick in criminal interest, innovation and investment in ransomware, other profitable forms of cybercrime are certainly not slipping.

Point of Sale malware, designed to lift bank card details (and other information too) from payment terminals around the world, continues to evolve and to propagate.

In February of this year researchers at Trend Micro noted the evolution of FighterPOS, a Point of Sale malware family that first emerged in Brazil in April of 2015.  Two new and “improved” versions, Floki Intruder and TSPY_POSFIGHT.F, have surfaced with extended feature sets and an extended victim population. Perhaps the most alarming new feature is the worm routine built into Floki Intruder, allowing it to enumerate logical drives and drop copies of itself, along with the associated autrun.inf using WMI tools. This means that the new FighterPOS can spread through the network and infect any available PoS terminal with extremely low effort, It also means of course that as long as one infected terminal remains in a network, clean-up can be very problematic. Aside from that, the new version is also disabling the default Windows firewall and security features along with User Access Control to solidify its hold on a machine. It seems that whoever is developing this newer version is also breaking out of the historical Brazilian hunting ground as FighterPOS has begun targeting victims in the United States too. TSPY_POSFIGHT.F appears to be a lightweight version from the same codebase as Floki Intruder and FighterPOS.

Later in the year, June saw our first analysis of FastPOS, so named because it represents the “smash and grab” of PoS malware. FighterPOS includes routines for both keystroke logging and RAM scraping to target sensitive information and payment card details. The standout difference from other PoS malware is that the stolen data is not written to disk, or stored in a temporary dump server, rather it is transmitted immediately to the criminal, as soon as the ‘Enter’ key is pressed on the infected terminal. This transmission is by means of an HTTP GET command, perhaps attempting to lose itself in the general web browser traffic on the victim network, invisible to all but the most specific searches.

Another unusual feature of FighterPOS is its validation of the credit and debit card details it steals. One aspect of card data, unseen by card holders, but processed by a PoS terminal is something called a Service Code which dictates how and where a card may be used, for example if it is OK to be used internationally, whether it can be used to withdraw cash or if a PIN is required. FighterPOS interrogates this Service Code data, being sure to only steal cards which are good for international use and where use of the chip (if it is present) is not mandatory.

FighterPOS appears to be designed specifically for networks without a large footprint, perhaps for small businesses and sole traders whose usual internet access point is a simple DSL modem on a very small local network.

In both these cases, multiple protection techniques are possible, with endpoint application control being perhaps the most appropriate in a PoS environment. Application Control allows the whitelisting of only those applications which are allowed to run on each endpoint and will stop malware from installing or executing. If your PoS terminals are in a larger footprint environment, then network-based breach detection and sandboxing are also appropriate and viable technologies.

Related posts:

  1. Teaching Old Dogs New Tricks
  2. The continuing threat of POS malware
  3. Android users beware: Hackers are up to dirty new tricks
  4. Trend Micro discovers Alice malware. What is malware and how can it damage businesses?

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Trend Micro Offerings Are FedRAMP Authorized and Available on AWS
  • Fujitsu and Trend Micro Demonstrate Solution To Secure Private 5G
  • Trend Micro Receives 5-Star Rating in 2021 CRN® Partner Program Guide
  • Smart Factory Cyber Attacks Knock Out Production for Days
  • Eliminate Hesitations: Security Simplified For Those Building In The Cloud
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.