Dozens of U.S. retailers impacted in global POS malware campaign

Share this article:

A worldwide point-of-sale (POS) malware operation involving a relatively new trojan – called ChewBacca, after the popular Star Wars character – has impacted dozens of retailers in the U.S., according to RSA researchers.

The experts with RSA uncovered the server infrastructure used in the campaign and learned that the ChewBacca trojan has been stealing track 1 and track 2 data of payment cards since Oct. 25, 2013, according to a post by Yotam Gottesman, senior security researcher with RSA FirstWatch team.

How malicious parties are infecting POS systems is still unclear.

“At this time we're still investigating possible threat vectors used for deployment of ChewBacca to vulnerable systems,” Will Gragido, senior manager of the RSA FirstWatch team, told on Friday.

Although the majority of impacted retailers are based out of the U.S., the campaign has impacted retailers in several other countries, including Russia, Canada and Australia, according to the post, which adds that the real IP address of the command-and-control server is masked because communications are being handled through the Tor network.

Gragido said he could not disclose the names of impacted retailers, but he explained that it is a mixture of small and medium-sized victims. RSA has taken measures to notify credit card issuers and is in the process of notifying victims, Gragido added.

In the post, Gottesman wrote that there are only so many choices when defending against these types of attacks. Businesses can invest in more staff for monitoring purposes, to detect and stop attackers, or entities can encrypt data so it is not in plaintext on the network, he said.

“Businesses will have to treat their POS systems as though they were extensions of their enterprise environments and secure them in a manner that is commensurate with their enterprises,” Gragido said. “The goal should be to provide hardened systems that are still highly functional.”

The ChewBacca trojan – which steals data using a basic keylogger and a memory scanner – runs automatically on Windows startup, according to the post, which adds that deleting the malware and rebooting the system should remove the threat.

Share this article:

Sign up to our newsletters

More in News

Five schools earn NSA's excellence in cyber ops distinction

The schools earned NSA's Centers for Academic Excellence designation for their cyber offerings.

With RATs at their disposal, 419 scammers target businesses

With RATs at their disposal, 419 scammers target ...

A new report reveals how Nigeria's 419 scammers are spreading malware to pocket business funds.

InfoSec pros worried BYOD ushers in security exploits, survey says

InfoSec pros worried BYOD ushers in security exploits, ...

A study by the Information Security Community on LinkedIn found most organizations don't have proper polices and support for BYOD.