Most point-of-sale (PoS) threats follow a common process: dump, scrape, store, exfiltrate. FastPOS (initially detected by Trend Micro as TSPY_FASTPOS.SMZTDA) was different with the way it removed a middleman and went straight from stealing credit card data to directly exfiltrating them to its command and control (C&C) servers.
FastPOS was true to its moniker—pilfer data as fast as possible, as much as it can, even at the expense of stealth. The malware is a reflection of how PoS threats, though no longer novel, are increasingly used against businesses and their customers. As such, FastPOS’s update does not come as a surprise—in time for the oncoming retail season to boot.
The samples we analyzed were compiled during the second week of September, and feedback from our Smart Protection Network confirmed that they are already deployed against small-medium businesses. FastPOS’s developer also seemed to have wasted no time validating his code by confirming its functionality in a full infection. It only took about a month from when its C&C domain was registered (mid-August) to the launch of its new campaign, making it faster than their previous operation in 2015.