Dozens of U.S. retailers impacted in global POS malware campaign

Share this article:

A worldwide point-of-sale (POS) malware operation involving a relatively new trojan – called ChewBacca, after the popular Star Wars character – has impacted dozens of retailers in the U.S., according to RSA researchers.

The experts with RSA uncovered the server infrastructure used in the campaign and learned that the ChewBacca trojan has been stealing track 1 and track 2 data of payment cards since Oct. 25, 2013, according to a post by Yotam Gottesman, senior security researcher with RSA FirstWatch team.

How malicious parties are infecting POS systems is still unclear.

“At this time we're still investigating possible threat vectors used for deployment of ChewBacca to vulnerable systems,” Will Gragido, senior manager of the RSA FirstWatch team, told on Friday.

Although the majority of impacted retailers are based out of the U.S., the campaign has impacted retailers in several other countries, including Russia, Canada and Australia, according to the post, which adds that the real IP address of the command-and-control server is masked because communications are being handled through the Tor network.

Gragido said he could not disclose the names of impacted retailers, but he explained that it is a mixture of small and medium-sized victims. RSA has taken measures to notify credit card issuers and is in the process of notifying victims, Gragido added.

In the post, Gottesman wrote that there are only so many choices when defending against these types of attacks. Businesses can invest in more staff for monitoring purposes, to detect and stop attackers, or entities can encrypt data so it is not in plaintext on the network, he said.

“Businesses will have to treat their POS systems as though they were extensions of their enterprise environments and secure them in a manner that is commensurate with their enterprises,” Gragido said. “The goal should be to provide hardened systems that are still highly functional.”

The ChewBacca trojan – which steals data using a basic keylogger and a memory scanner – runs automatically on Windows startup, according to the post, which adds that deleting the malware and rebooting the system should remove the threat.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.