'ChewBacca' POS malware uncovered in the wild

RSA researchers have uncovered a new point-of-sale malware operation emanating from Eastern Europe that has succeeded in scraping payment card data from small retailers in 11 countries.

  7 1 comment

'ChewBacca' POS malware uncovered in the wild

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

While most of the infection activity has occurred in the US, the malware - dubbed ChewBacca - has also been spotted in the wild in in 10 other countries including Russia, Canada and Australia. RSA researchers discovered that, beginning 25 October, Chewbacca had logged track 1 and 2 data of almost 50,000 payment cards it had scraped from infected PoS systems.

RSA says it has been in contact with victim companies and the FBI to shut down the command-and-control server logging the data and to share key forensics data.

The ChewBacca Trojan featured simple keylogging and memory-scraping functionality to search for regular expressions of card mag-stripe data. If a card number is found, it is extracted and logged by the server.

RSA's findings come as US retailer Target said that the recent breach of its POS platform that lifted details of over 100 million cardholders may have occurred through the use of a vendor's stolen credentials. Two other major US retailers - Neiman Marcus and Michaels - have also seen their POS systems attacked using similar malware engineering techniques.

Target may be on the receiving end of $1 billion in breach fines levied by the Payment Card Industry Security Standard Council, according to an analyst note from Jefferies.

"Retailers have a few choices against these attackers," says Yotam Gottesman, a senior security researcher at RSA's FirstWatch team. "They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers via comprehensive monitoring and incident response, or they can encrypt or tokenize data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors."

Sponsored [Webinar] PREDICT 2025: The Future of Faster Payments in the US

Related Company

Keywords

Comments: (1)

A Finextra member 

So card issuers and payment processors have to be PCI compliant but retailers and their POS providers don't?

[Webinar] Money Mule Defence: Practical Applications and the Role of TechnologyFinextra Promoted[Webinar] Money Mule Defence: Practical Applications and the Role of Technology