Dozens of U.S. retailers impacted in global POS malware campaign

Share this article:

A worldwide point-of-sale (POS) malware operation involving a relatively new trojan – called ChewBacca, after the popular Star Wars character – has impacted dozens of retailers in the U.S., according to RSA researchers.

The experts with RSA uncovered the server infrastructure used in the campaign and learned that the ChewBacca trojan has been stealing track 1 and track 2 data of payment cards since Oct. 25, 2013, according to a post by Yotam Gottesman, senior security researcher with RSA FirstWatch team.

How malicious parties are infecting POS systems is still unclear.

“At this time we're still investigating possible threat vectors used for deployment of ChewBacca to vulnerable systems,” Will Gragido, senior manager of the RSA FirstWatch team, told SCMagazine.com on Friday.

Although the majority of impacted retailers are based out of the U.S., the campaign has impacted retailers in several other countries, including Russia, Canada and Australia, according to the post, which adds that the real IP address of the command-and-control server is masked because communications are being handled through the Tor network.

Gragido said he could not disclose the names of impacted retailers, but he explained that it is a mixture of small and medium-sized victims. RSA has taken measures to notify credit card issuers and is in the process of notifying victims, Gragido added.

In the post, Gottesman wrote that there are only so many choices when defending against these types of attacks. Businesses can invest in more staff for monitoring purposes, to detect and stop attackers, or entities can encrypt data so it is not in plaintext on the network, he said.

“Businesses will have to treat their POS systems as though they were extensions of their enterprise environments and secure them in a manner that is commensurate with their enterprises,” Gragido said. “The goal should be to provide hardened systems that are still highly functional.”

The ChewBacca trojan – which steals data using a basic keylogger and a memory scanner – runs automatically on Windows startup, according to the post, which adds that deleting the malware and rebooting the system should remove the threat.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.

Hacker sentenced to 30 months in prison and $300k restitution

Hacker sentenced to 30 months in prison and ...

Lamar Taylor was sentenced in New Jersey this past week for allegedly participating in a cybercrime scheme that accounted for more than $15 million.

Progress on national breach notification law may stall

A bill, which would require a national reporting standard, has failed to make it before the Senate or House this year.