With all the focus on ransomware so far in 2016, you could be forgiven for thinking that not much else is happening in the world of online crime. Don’t be too hasty though, while there is a massive uptick in criminal interest, innovation and investment in ransomware, other profitable forms of cybercrime are certainly not slipping.
Point of Sale malware, designed to lift bank card details (and other information too) from payment terminals around the world, continues to evolve and to propagate.
In February of this year researchers at Trend Micro noted the evolution of FighterPOS, a Point of Sale malware family that first emerged in Brazil in April of 2015. Two new and “improved” versions, Floki Intruder and TSPY_POSFIGHT.F, have surfaced with extended feature sets and an extended victim population. Perhaps the most alarming new feature is the worm routine built into Floki Intruder, allowing it to enumerate logical drives and drop copies of itself, along with the associated autrun.inf using WMI tools. This means that the new FighterPOS can spread through the network and infect any available PoS terminal with extremely low effort, It also means of course that as long as one infected terminal remains in a network, clean-up can be very problematic. Aside from that, the new version is also disabling the default Windows firewall and security features along with User Access Control to solidify its hold on a machine. It seems that whoever is developing this newer version is also breaking out of the historical Brazilian hunting ground as FighterPOS has begun targeting victims in the United States too. TSPY_POSFIGHT.F appears to be a lightweight version from the same codebase as Floki Intruder and FighterPOS.
Later in the year, June saw our first analysis of FastPOS, so named because it represents the “smash and grab” of PoS malware. FighterPOS includes routines for both keystroke logging and RAM scraping to target sensitive information and payment card details. The standout difference from other PoS malware is that the stolen data is not written to disk, or stored in a temporary dump server, rather it is transmitted immediately to the criminal, as soon as the ‘Enter’ key is pressed on the infected terminal. This transmission is by means of an HTTP GET command, perhaps attempting to lose itself in the general web browser traffic on the victim network, invisible to all but the most specific searches.
Another unusual feature of FighterPOS is its validation of the credit and debit card details it steals. One aspect of card data, unseen by card holders, but processed by a PoS terminal is something called a Service Code which dictates how and where a card may be used, for example if it is OK to be used internationally, whether it can be used to withdraw cash or if a PIN is required. FighterPOS interrogates this Service Code data, being sure to only steal cards which are good for international use and where use of the chip (if it is present) is not mandatory.
FighterPOS appears to be designed specifically for networks without a large footprint, perhaps for small businesses and sole traders whose usual internet access point is a simple DSL modem on a very small local network.
In both these cases, multiple protection techniques are possible, with endpoint application control being perhaps the most appropriate in a PoS environment. Application Control allows the whitelisting of only those applications which are allowed to run on each endpoint and will stop malware from installing or executing. If your PoS terminals are in a larger footprint environment, then network-based breach detection and sandboxing are also appropriate and viable technologies.