Dozens of U.S. retailers impacted in global POS malware campaign

Share this article:

A worldwide point-of-sale (POS) malware operation involving a relatively new trojan – called ChewBacca, after the popular Star Wars character – has impacted dozens of retailers in the U.S., according to RSA researchers.

The experts with RSA uncovered the server infrastructure used in the campaign and learned that the ChewBacca trojan has been stealing track 1 and track 2 data of payment cards since Oct. 25, 2013, according to a post by Yotam Gottesman, senior security researcher with RSA FirstWatch team.

How malicious parties are infecting POS systems is still unclear.

“At this time we're still investigating possible threat vectors used for deployment of ChewBacca to vulnerable systems,” Will Gragido, senior manager of the RSA FirstWatch team, told SCMagazine.com on Friday.

Although the majority of impacted retailers are based out of the U.S., the campaign has impacted retailers in several other countries, including Russia, Canada and Australia, according to the post, which adds that the real IP address of the command-and-control server is masked because communications are being handled through the Tor network.

Gragido said he could not disclose the names of impacted retailers, but he explained that it is a mixture of small and medium-sized victims. RSA has taken measures to notify credit card issuers and is in the process of notifying victims, Gragido added.

In the post, Gottesman wrote that there are only so many choices when defending against these types of attacks. Businesses can invest in more staff for monitoring purposes, to detect and stop attackers, or entities can encrypt data so it is not in plaintext on the network, he said.

“Businesses will have to treat their POS systems as though they were extensions of their enterprise environments and secure them in a manner that is commensurate with their enterprises,” Gragido said. “The goal should be to provide hardened systems that are still highly functional.”

The ChewBacca trojan – which steals data using a basic keylogger and a memory scanner – runs automatically on Windows startup, according to the post, which adds that deleting the malware and rebooting the system should remove the threat.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.