The author of FastPOS PoS malware pleads guilty

Pierluigi Paganini August 01, 2020

A 30-year-old Moldovan man pleaded guilty this week for creating the FastPOS malware that infected PoS systems worldwide.

The Moldovan citizen Valerian Chiochiu (30), aka Onassis, pleaded guilty on Friday for creating the infamous FastPOS Point-of-Sale (POS) malware.

Chiochiu was a member of the Infraud global cybercrime organization involved in stealing and selling credit card and personal identity data.

According to the DoJ, the activities of the ring tracked as ‘Infraud Organization’, caused $530 million in losses. The group is active since 2010, when it created in Ukraine by Svyatoslav Bondarenko.

The platform offered a privileged aggregator for criminals (10,901 approved “members” in early 2017) that allowed to buy and sell payment card and personal data.

The Infraud Organization used a number of websites to commercialize the data, it implemented a classic and efficient e-commerce for the stolen card and personal data, implementing also a rating and feedback system and an escrow” service for payments in digital currencies like Bitcoin.

The main website was a crime forum that was founded in 2010, it first operated at infraud.cc and infraud.ws.

Chiochiu sold the FastPOS malware on the forum, it first appeared in the threat landscape since 2016.

The malware was first spotted by experts at Trend Micro, it was dubbed FastPOS because of its ability to quickly exfiltrate harvested data.

FastPOS PoS malware has a modular structure that includes a memory scraper component and a Key Logger.

The components FastPOS’s new version is sporting are:

  • Serv32.exe – creates and monitors a mailslot and sends its contents to the C&C server
  • Kl32.exe – keylogger component (32-bit)
  • Kl64.exe – keylogger component (64-bit)
  • Proc32.exe – RAM scraper (32-bit)
  • Proc64.exe – RAM scraper (64-bit)
fastpos-malware-2

When card data are captured on the infected system they are not locally stored, but they are directly transferred to command and control servers in clear text.

The malware was used by threat actors to target both enterprises and SMBs in several countries across the world, including the United States, Brazil, France, Japan, Hong Kong, and Taiwan.

The FastPOS malware was usually served via compromised websites, via VNC access using stolen credentials or brute-force attacks, or through a file-sharing service.

In February 2018, the US authorities dismantled the Infraud Organization and Chiochiu stopped his activity. At the time, the Justice Department announced indictments for 36 people charged with being part of the crime ring.

At the end of June, Sergey Medvedev (aka “Stells”), one of the two Infraud administrators, pleaded guilty for his role in the crime organization.

Chiochiu will be sentenced on December 11.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FastPOS)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment