New POS Malware Attacks Abandon Stealth

Professionally written-malware is rarely unsubtle. Long, slow and stealthy attacks are generally the rule—but a rogue malware author has decided to break that rule by going fast and loud. What’s more, this approach is actually finding a great deal of success, which should have retailers worried in the lead up to the holiday season. How is it that this ruthless smash-and-grab approach is working? The short answer: signature-based endpoint protection products are still too weak.

How Does the Smash-and-Grab Approach Differ from Other PoS Malware Attacks?

First, some background. The malware in question is known as FastPoS. It’s modular, meaning that its creator can quickly add or subtract components that change its behavior—while making it harder for traditional endpoint protection to spot. In this instance, the author has uploaded a module that logs the keystrokes of anyone using the infected PoS terminal, as well as a scraper that can detect credit card numbers in RAM. As soon as a number is detected, the malware immediately sends the number out to its command and control servers—without even bothering to encrypt them.

Why should retailers worry about this rip-and-run approach to hacking? First of all, some context. The biggest cyberattacks that you’ve ever heard of (that didn’t involve DDoS) are usually the product of a long, slow, high-effort process, dedicated to maximum stealth. Here are just a few examples:

  • Attackers in the case of the OPM hack and the DNC breach both lingered in their targets’ systems for around a year before being detected.
  • During the Target POS malware attack (which also employed a RAM scraper), security professionals were unaware of their data theft until they literally discovered their customers’ credit cards being sold on the internet.
  • Let’s also not forget about the LinkedIn breach, where researchers discovered seventeen million additional stolen records being sold, four years after the initial incident.

In every case, the attackers took immense pains. They paced themselves—because it was necessary. The incidents referenced all concern massive government agencies, social media networks, and retailers, who actually invested a great deal in their own protection. The secret to the success of this new PoS malware attack is that it’s going after smaller businesses instead.

For Malware Authors, Small Businesses are Rich Targets

If the FastPoS malware author wasn’t going after small businesses, their tactics would make zero sense. Larger businesses tend to invest in multiple countermeasures. For example, they would probably invest in more advanced endpoint protection—but that’s not the only thing that would protect them.

Enterprise-level SIEM software would be able to detect an unauthorized outbound port. Their DLP software would detect unencrypted credit card numbers being copied and exfiltrated. For larger companies, the only way FastPoS could be more obvious is if it printed “THERE’S MALWARE HERE” across the screen of every infected terminal.

Small businesses are categorically less likely to have these protections, however, and therein lies the problem. Smaller companies are much more likely to use run-of-the mill signature-based endpoint protection, which we already know has a horrendous track record against other kinds of PoS malware attacks. In short, attackers using FastPoS will be able to steal from SMBs with near-impunity—just in time for the holiday rush.

More and more, we see hackers using SMBs like piggy banks. Ransomware, it appears, was the early adopter of this strategy. With FastPoS, we see conventional malware authors following suit. Fortunately, there’s an advanced endpoint protection solution that puts reliable mitigation in reach of even the smallest company. For more information on SentinelOne, and how our advanced behavioral detection platform ensures even the stealthiest malware can’t hide, contact us today.