# FastPOS: Quick and Easy Credit Card Theft

#### TrendLabs Security Intelligence Blog

 Trend Micro Cyber Safety Solutions Team
 June 2016


-----

## Contents

### Introduction ............................................................................................................1

 Installation .............................................................................................................1

 Information Theft Routines .....................................................................................3

 Data Exfiltration ......................................................................................................4

 Other Research Findings .......................................................................................6

 Affected Countries ............................................................................................... 11

 Conclusion .......................................................................................................... 11

 Appendix ............................................................................................................ 13

TREND MICRO LEGAL DISCLAIMER

The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice.
The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied
on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise.
Trend Micro reserves the right to modify the contents of this document at any time without prior notice.

Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise
related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the
translation are not binding and have no legal effect for compliance or enforcement purposes.

Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any
kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk.
Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document
shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever
arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this
information constitutes acceptance for use in an “as is” condition.


-----

## Introduction

Regardless of size and industry, an organization or a company can be affected by Point-of-Sale
(PoS) threats. For more than three years, we have monitored and reported PoS threats
[targeting diverse verticals beyond retail; we have seen attacks affecting airports and parking](http://blog.trendmicro.com/trendlabs-security-intelligence/planes-trains-automobiles-are-you-safe-from-pos-malware-anywhere/)
[lots, among others. It is a mainstream threat that has continuously evolved its tactics to expand](http://blog.trendmicro.com/trendlabs-security-intelligence/planes-trains-automobiles-are-you-safe-from-pos-malware-anywhere/)
their target base.

While PoS threats have similarities in terms of techniques, each variant has its own unique
characteristic. Take the case of this newly discovered PoS malware which is notable for its
speed in how the information is stolen and sent back to attackers. We call this malware
FastPOS, due to the said speed and efficiency of its credit card theft capabilities.

In this technical brief, we will cover the infection vectors of FastPOS, its information theft
routines, and its novel way of conducting data exfiltration.

## Installation

Based on the Trend Micro Smart Protection Network data, the operators behind FastPOS used
the following three infection vectors to install this threat:

  - A compromised medical website that serves as a download location

  - A web-based, real-time file sharing service used as download location

  - Direct file transfer via virtual networking computer (VNC); we assume that access to this
is either through stolen credentials or through a brute-force attack

Earlier versions of FastPOS require an administrative account to run the file. A pop-up box
appears if a non-administrative account runs the file:

_Figure 1: pop-up to run the file as administrator_

1


-----

This pop-up box forces the users to manually circumvent the user account control (UAC), built
on Windows Vista® and higher. After running the file with an administrative account, the copies
of the malware are copied to the following locations:

  - %Windows%\system32\winlogon_r.exe (Windows 32-bit)

  - %Windows%\SysWOW64\winlogon_r.exe (Windows 64-bit)

Running the file would result to a pop-up box indicating that the installation has been completed:

_Figure 2: Pop-up box of initial installation_

In the later versions of FastPOS, we observed that the cyber crooks removed the requirement to
run as administrator but preserved the “Installation Complete” pop-up box. This made infection
easier as the end-user is no longer required to be logged on as administrator. Based on the
updated file set that we have, a copy of the malware is placed in the following locations:

  - %ProgramData%\cssrs.exe (Windows Vista® and above)

  - %ALLUSERPROFILE%\cssrs.exe (Windows XP)

The “Installation Complete” pop-up box may be seen as a simple effort to avoid automation or
sandbox execution that could possibly thwart full infection. Real infection, however, would still
require clicking on the said pop-up box in order to pass the control to the newly written file.
Aside from copying the file to the desired location, this threat has other indicators:

  - Creation of the mutex, “uniqyeidclaxemain”

  - Creation of an autorun entry, csrss = {malware path and filename} under
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

After the initial execution, file invoking, and successful installation, this threat connects to a
command-and-control (C&C) server that is predefined in the file itself. The complete list of C&C
servers can be found at the Appendix.

2


-----

## Information theft routines

FastPOS has three separate threads, pertaining to its notable capabilities:

  - Keylogger

  - Main RAM scraper process

(Note: The latest file set avoids several process names: Firefox.exe, Chrome.exe,
Svchost.exe, Dwm.exe, and Skype.exe)

  - Self-updating mechanism

The first two threads, the keylogger and the main RAM scraper process, are for information theft
purposes. We will tackle the third thread in the data exfiltration phase.

In the first thread, FastPOS captures keystrokes and sends back the entire string to the C&C
server once the return key is pressed. Keyloggers often go together with PoS threats as the
former enable the attackers to do reconnaissance and obtain other information aside from the
stolen data from the credit card scrape. Stolen information from keyloggers may also vary
between the products or services purchased and the card security code (unique card code/card
identification number) being asked in some establishments.

FastPOS implements a simple key-logging functionality similar to another PoS threat,
[NewPosThings, in that keylogged data are held in memory with no file written in disk. As such,](http://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/)
this poses challenges to detection and removal of the malware from PoS systems. Although,
such routine may result to some level of network noise, there are relatively few instances of the
return key being used. This is also seen when you compare the normal operations of PoS
terminal to that of a regular workstation.

The main RAM scraping process handled by the second thread and a custom algorithm is
implemented in the following flow:

1. Check field separator ('=' or 'D')
2. Check first digit of the primary account number (aka, primary account number or

PAN) (3,4,5,6)
3. Check expiry year (not later than 2040)
4. Check expiry month (no value above 12)
5. Service code should be 201 or 101 (magnetic stripe card/IC card, PIN not required)
6. Must pass Luhn validation
7. Data after service code should be digits from 0-9 up to 16 characters, and ends with

'?'

3


-----

This process also checks if the number of digits is 16 numbers. The PAN checking indicates
that it allows cards from major players like American Express, Discover, JCB, MasterCard, and
VISA among others. The steps taken by this RAM scraper is quite common, except to one
procedure where it checks the service code. Based on our analysis of one particular sample
(sha1: 01cdb9f7935434df31196660a7542e0b46bcf480), FastPOS looks for a specific service
code 201 or 101, namely:

  - Position 1, value 1: International interchange OK

  - Position 1, value 2: International interchange, use IC (chip) where feasible

  - Position 2, value 0: Normal

  - Position 3, value 1: No Restrictions

_Figure 3: Service code checking_

This filtering ensures that the credit card data that it searches for are international cards
(position 1), unrestricted for authorization (position 2), and does not require a pin (position 3). A
[full list of possible service code combinations can be read here.](https://en.wikipedia.org/wiki/Magnetic_stripe_card)

## Data exfiltration

This RAM scraper has an unusual way of data exfiltration. It does not have any HTTP useragent. Instead of HTTP POST, the HTTP GET verb is used. This implies that a server would
have to do post-processing on their server-side logs. GET method is usually employed to
request data from a specific HTTP resource while POST is for submitting data to the specified
HTTP resource. Analysis of the HTTP responses indicates that a positive HTTP 200 response is
given by the C&C server – meaning that the HTTP GET request is processed correctly.
However, no content is provided back to the client from the server.

4


-----

_Figure 4. HTTP GET request to C&C server_

Furthermore, because of the use of HTTP GET, the requests are cached on the infected
endpoints and remain in web browser history. FastPOS either deletes the URL cache entry to
handle the cached content or when it attempts to update using the third thread for self-update.

Aside from implementing HTTP GET (instead of HTTP POST) on the client-side, the command
and control server does not implement HTTPS to encrypt the traffic. This makes the requests
and responses, including the credit card data, exposed in the network traffic. In turn, this makes
the network traffic easy to spot as it exposes all gathered information from the endpoint in every
HTTP transaction. However, this threat does so in a quick and easy manner, hence the name
FastPOS.

Typically, PoS threats either log data locally or send it out to their respective C&C servers
immediately. In the case of FastPOS, it does not store any scraped information or status logs
locally but sends it to C&C server hard-coded in the malware. It does this using the following
commands/parameters:

key&log=TWND%sKWND%s Used to send the logged keystrokes. First
string is the window title; second string is the
key log
add&log=%s&foundin=%s Used by the RAM Scraper thread during data
exfiltration. First string is the card dump;
second string is the process name.
_Table 1. Commands for sending the stolen information_

It also continuously sends status logs to the C&C server using the parameters listed below:

new&username=%s&computername=%s&os=%s&architecture=%s Registers

new infected
system with
user name,
computer
name, OS
and
architecture
statuslog&log=scanning-%s Indicates
processes
being

5

|key&log=TWND%sKWND%s|Used to send the logged keystrokes. First string is the window title; second string is the key log|
|---|---|
|add&log=%s&foundin=%s|Used by the RAM Scraper thread during data exfiltration. First string is the card dump; second string is the process name.|

|new&username=%s&computername=%s&os=%s&architecture=%s|Registers new infected system with user name, computer name, OS and architecture|
|---|---|
|statuslog&log=scanning-%s|Indicates processes being|


-----

scanned for
credit card
data
update&username=%s Sends when
a software
update is
requested
statuslog&log=CheckedForUpdate Sends after
request for
software
update
statuslog=&log=GetLastError%d Reports
encountered
error with an
error code
_Table 2. Parameters for sending logs_

FastPOS has implemented a functionality that indicates the process name where the credit card
is found. This is usually used to pre-filter if the entry is valid or not. They can also reuse this
later for profiling purposes or for determining the PoS software running on the infected terminal.

## Other research findings

We found interesting hints or clues regarding the perpetrators behind FastPOS and its possible
users. We spotted a forum site which has a code snippet with the exact mutex as FastPOS
when configured to use.

_Figure 5: This forum site has the same mutex name_

The error message (see figure 6) bears semblances to the pop-up box in our sample set.

6

|Col1|scanned for credit card data|
|---|---|
|update&username=%s|Sends when a software update is requested|
|statuslog&log=CheckedForUpdate|Sends after request for software update|
|statuslog=&log=GetLastError%d|Reports encountered error with an error code|


-----

_Figure 6: Pop-up box when the mutex is duplicated_

We surmise that the user who posted in the said forum, inquiring about the keylogger is actually
the creator of FastPOS. There’s a possibility that he is employing the platform and its user base
to refine his code. The said code in question appears like the FastPOS keylogger thread.

_Figure 7: Form post with code details_

The existing sample set of FastPOS communicating back to the C&C server.

_Figure 8: Example of a C&C communication matching exactly the code snippet in Fig 7._

7


-----

Our research also indicated that around January 24-25 of this year, there were advertisements
of a site called SwipeIt[.]pw in some forums with this content.

_Figure 9: SwipeIt[.]pw advertisement_

Ironically, the IP address (5[.]100[.]156[.]107)of SwipeIt[.]pw is actually used as the C&C server
of this threat. Perhaps, the operators behind FastPOS thought it would be simple as to make the
forum as the C&C server where they can also sell their wares.

This forum also provides information about the dumps available for purchase. It also allows the
users to add balance to their accounts, view and filter existing dumps, check the existing credit
card bins, view the FAQ page, and access chat-based technical support page. All transactions
are done in bitcoin only.

8


-----

_Figure 10: Dump selection for purchase at SwipeIT[.]pw_

As of posting, there’s a total of 3,354 credit card numbers for purchase with the following prices:

**Issuing bank location** **Price**
South Korea US $10 - $12
Brazil US$12
United Kingdom US $10 - $12
Japan US $40
France US $25
Philippines US $25
United States US $12
_Table 3. Price range for credit cards up for purchasing in SwipeIT[.]pw_

The site also provides information regarding the current locations these cybercriminals are
looting. Our findings show that the current locations are South Korea, United Kingdom, and
Brazil.

Based on our research findings, here’s a rough timeline of the events related to this.

9

|Issuing bank location|Price|
|---|---|
|South Korea|US $10 - $12|
|Brazil|US$12|
|United Kingdom|US $10 - $12|
|Japan|US $40|
|France|US $25|
|Philippines|US $25|
|United States|US $12|


-----

_Figure 11. Timeline of FastPOS-related events_


10


-----

Although the two domains (aquaspa-oi[.]re and sabebien[.]cl) were registered some time ago,
these were just recently observed with FastPOS.

## Affected countries

Our Smart Protection Network data shows the following countries have FastPOS-related
infections in the last five months.

_Figure 12. Country distribution of FastPOS-related infections_

Trend Micro has observed infections in small to medium-sized businesses (SMBs), as well as
enterprises. We also surmise that the locations which have FastPOS infections are sometimes
the remote offices with open remote VNC access.

## Conclusion

Some of the affected entities of FastPOS are based in locations with open remote VNC access.
In certain instances, these organizations have DSL router as their primary separation between
the terminal (that processes credit card information) and the internet with just port-forward
functionality enabled directly to the terminal itself. This introduces risks to the environment given
that there’s only a thin line separating the terminal and external access. While remote access
allows remote administration, the same channels have always been abused. A similar
methodology has been seen and documented early on with point-of-sale systems infected by
[Backoff with in this advisory from US-CERT almost 2 years ago which, as it stands to show,](https://www.us-cert.gov/ncas/alerts/TA14-212A)
similar methodology are still being used on infections still persist today.

11


-----

Furthermore, based on the design and behavior of FastPOS, it implies that the targeted
terminals have bare internet access with installed endpoint security software as the only line of
defense. While complying with the bare minimum of having anti-malware software on systems, it
is recommended to separate traffic and employ strict access controls on such terminals.
In cases when an endpoint security solution is used to secure systems against PoS threats, it
also best to track and monitor activities within the endpoint. Implementing a context-aware
endpoint security monitor that would speed up the discovery, investigation and response to
[security incidents may be desired such as Trend Micro Endpoint Sensor.](http://www.trendmicro.com/us/enterprise/security-risk-management/deep-discovery/#endpoint-protection)

_Figure 13. Visual representation of the infection via Trend Micro Endpoint Sensor_

[Businesses should also consider another approach, such as implementing endpoint application](http://www.trendmicro.com/us/enterprise/product-security/endpoint-application-control/pos-system-security/app-whitelisting/index.html)
[control or whitelisting technology that reduces attack exposure by ensuring only updates](http://www.trendmicro.com/us/enterprise/product-security/endpoint-application-control/pos-system-security/app-whitelisting/index.html)
associated with whitelisted applications can be installed. Endpoint solutions such Trend
[Micro™ Security, Trend Micro™ Smart Protection Suites, and Trend Micro Worry-](http://www.trendmicro.com/us/home/products/software/index.html)
[Free™ Business Security can protect users systems have features that can help in combatting](http://www.trendmicro.com/us/small-business/product-security/)
PoS threats such as FastPOS.

12


-----

8292de8a2f7d5fc288b734a78868e8a18453581d 9/27/2015

4:08
b56465347f234b9ddf07d153a9b493d0ffe54ae2 9/27/2015

TSPY_FASTPOS.SMZTDA 7:17

9526438e93621a44325163c4dda22b142c7721dc 10/21/2015
21:58
7efc1618b74f1110d0481b434086dd08f2e75211 1/4/2016
19:53
f4074fddcd9491b72b94908a813564754f68f4ed 1/21/2016
9:38
9e7a22bfed0bc9f88673f204bbcf9d4b1dc1ab21 1/23/2016
21:29
a5384a2a6f3099912f3c6e5f6646c07ad7b3963b 2/22/2016
15:49
f3fe5173600ee853fe01eb8d82a36230ef5068f9 3/5/2016
16:48
7c29a9822c6f498b2b4e632f5fcbb4b7daa25a7a 3/5/2016
16:49
01cdb9f7935434df31196660a7542e0b46bcf480 3/11/2016
18:26
299fabbeaa110f7e817d81861d8edc7ff19a2415 3/13/2016
9:42

## List of C&C servers:

  - hxxp://paseovalantiacom[.]com/cdosys.php?comdlg64=

  - hxxp://blank.pw/Neo/cdosys[.]php?comdlg64=statuslog

  - hxxp://103[.]195[.]185[.]94/berg/cdosys.php?comdlg64=

  - hxxp://103[.]195[.]185[.]94/legacy/cdosys.php?comdlg64=

  - hxxp://148[.]251[.]8[.]173/data/cdosys.php?comdlg64=

  - hxxp://sabebien[.]cl/data/cdosys.php?comdlg64=

  - hxxp://aquaspa-oi[.]re/data/cdosys.php?comdlg64=

13

|Appendix: Example Indicators of|Compromise|Col3|
|---|---|---|
|SHA1|Detection|Compile Time (GMT + 0)|
|8292de8a2f7d5fc288b734a78868e8a18453581d|TSPY_FASTPOS.SMZTDA|9/27/2015 4:08|
|b56465347f234b9ddf07d153a9b493d0ffe54ae2||9/27/2015 7:17|
|9526438e93621a44325163c4dda22b142c7721dc||10/21/2015 21:58|
|7efc1618b74f1110d0481b434086dd08f2e75211||1/4/2016 19:53|
|f4074fddcd9491b72b94908a813564754f68f4ed||1/21/2016 9:38|
|9e7a22bfed0bc9f88673f204bbcf9d4b1dc1ab21||1/23/2016 21:29|
|a5384a2a6f3099912f3c6e5f6646c07ad7b3963b||2/22/2016 15:49|
|f3fe5173600ee853fe01eb8d82a36230ef5068f9||3/5/2016 16:48|
|7c29a9822c6f498b2b4e632f5fcbb4b7daa25a7a||3/5/2016 16:49|
|01cdb9f7935434df31196660a7542e0b46bcf480||3/11/2016 18:26|
|299fabbeaa110f7e817d81861d8edc7ff19a2415||3/13/2016 9:42|


-----

  - hxxp://5[.]100[.]156[.]107/star/cdosys.php?comdlg64=

  - hxxp://8[.]100[.]156[.]107/star/cdosys.php?comdlg64=

## YARA Rule:

rule PoS_Malware_fastpos : FastPOS
{
meta:
author = "Trend Micro, Inc."
date = "2016-05-18"
description = "Used to detect FastPOS keyloggger + scraper"
sample_filetype = "exe"
strings:
$string1 = "uniqyeidclaxemain"
$string2 = "http://%s/cdosys.php"
$string3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
$string4 = "\\The Hook\\Release\\The Hook.pdb" nocase
condition:
all of ($string*)
}


14


-----

Trend Micro Incorporated, a global leader in security software, strives to make the
world safe for exchanging digital information. Our innovative solutions for consumers,
businesses and governments provide layered content security to protect information
on mobile devices, endpoints, gateways, servers and the cloud. All of our solutions
are powered by cloud-based global threat intelligence, the Trend Micro™ Smart
Protection Network™, and are supported by over 1,200 threat experts around the
globe. For more information, visit www.trendmicro.com.

©2016 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend
Micro t-ball logo are trademarks or registered trademarks of Trend Micro,
Incorporated. All other product or company names may be trademarks or registered
trademarks of their owners.


10101 N. De Anza Blvd.
Cupertino, CA 95014

U.S. toll free: 1 +800.228.5651
Phone: 1 +408.257.1500
Fax: 1 +408.257.2003


-----