Dozens of U.S. retailers impacted in global POS malware campaign

Share this article:

A worldwide point-of-sale (POS) malware operation involving a relatively new trojan – called ChewBacca, after the popular Star Wars character – has impacted dozens of retailers in the U.S., according to RSA researchers.

The experts with RSA uncovered the server infrastructure used in the campaign and learned that the ChewBacca trojan has been stealing track 1 and track 2 data of payment cards since Oct. 25, 2013, according to a post by Yotam Gottesman, senior security researcher with RSA FirstWatch team.

How malicious parties are infecting POS systems is still unclear.

“At this time we're still investigating possible threat vectors used for deployment of ChewBacca to vulnerable systems,” Will Gragido, senior manager of the RSA FirstWatch team, told SCMagazine.com on Friday.

Although the majority of impacted retailers are based out of the U.S., the campaign has impacted retailers in several other countries, including Russia, Canada and Australia, according to the post, which adds that the real IP address of the command-and-control server is masked because communications are being handled through the Tor network.

Gragido said he could not disclose the names of impacted retailers, but he explained that it is a mixture of small and medium-sized victims. RSA has taken measures to notify credit card issuers and is in the process of notifying victims, Gragido added.

In the post, Gottesman wrote that there are only so many choices when defending against these types of attacks. Businesses can invest in more staff for monitoring purposes, to detect and stop attackers, or entities can encrypt data so it is not in plaintext on the network, he said.

“Businesses will have to treat their POS systems as though they were extensions of their enterprise environments and secure them in a manner that is commensurate with their enterprises,” Gragido said. “The goal should be to provide hardened systems that are still highly functional.”

The ChewBacca trojan – which steals data using a basic keylogger and a memory scanner – runs automatically on Windows startup, according to the post, which adds that deleting the malware and rebooting the system should remove the threat.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

LEADS Act addresses gov't procedure for requesting data stored abroad

LEADS Act addresses gov't procedure for requesting data ...

Senators introduced the legislation last week as a means of amending the Electronic Communications Privacy Act (ECPA).

Report: Intrustion prevention systems made a comeback in 2013

Report: Intrustion prevention systems made a comeback in ...

A new report indicates that intrusion prevention systems grew 4.2 percent in 2013, with growth predicted to continue.

Mobile device security sacrificed for productivity, study says

Mobile device security sacrificed for productivity, study says

A Ponemon Institute study, sponsored by Raytheon, revealed that employees increasingly use mobile devices for work but cut corners and circumvent security.