Cocky devs don’t try to hide malware, export credit card numbers as cleartext
A smash and grab malware gang has updated its FastPoS point of sales hack app to plunder credit cards more efficiently ahead of the festive season.
The FastPoS author is known for issuing an annual update to the malware which throws stealth to the wind in favour of quick and noisy raiding.
The technique marks FastPoS as distinct from rivals that attempt to dump and store cards on local systems before quietly hoovering it off in a bid to extend the time before banks can cancel cards.
FastPoS was first found in March last year and has since been known for receiving pre-Christmas updates to allow it to plunder modern PoS systems.
Trend Micro researchers say the malware is already being used to target small businesses.
“FastPOS was true to its moniker—pilfer data as fast as possible, as much as it can, even at the expense of stealth,” researchers say.
“The samples … are already deployed against small-medium businesses.
“The malware is a reflection of how point of sales threats, though no longer novel, are increasingly used against businesses and their customers.”
The malware samples were captured after an update last month from the author.
The modular malware uses a keylogger and memory scraper to rip credit card numbers directly to command and control servers.
Its author is so unconcerned with detection that the cards fly over the internet in cleartext.
The latest FastPoS edition stores data in Windows temporary RAM files called “mailslots” allowing speedy exfiltration of stolen cards.
FastPoS is likely one of many similar carding malware variants to receive updates ahead of the annual wallet-emptying season. Large global retailers have hardened systems after the high-profile breaches of Target and Home Depot but the scores of small and largely unprotected businesses notably those in the US remain ripe pickings for carders. ®