Tor-Based Malware ChewBacca Used to Steal Card Data from POS Systems

ChewBacca malware used to steal payment card data from retailers

BlackPOS and Dexter are not the only pieces of malware used by cybercriminals to steal payment card data from point-of-sale (POS) systems. RSA researchers have found that the recently discovered ChewBacca Trojan is also used for similar operations.

ChewBacca’s existence was first brought to light in December 2013 by Kaspersky researchers. The information-stealing Trojan wasn’t being offered on public forums. It has attracted the attention of security experts because it uses the Tor network to hide its communications.

RSA says that the malware has been used to log track 1 and track 2 data from infected POS systems since October 25.

The company says that the Trojan has been leveraged in attacks against dozens of retailers. Most of them are based in the US, but some of them are in Russia, Canada and Australia.

However, RSA’s Will Gragido has told DarkReading that the malware doesn’t appear to be tied to the Target, Neiman Marcus or Michaels hacks. He has revealed that the individuals behind the ChewBacca campaign are most likely from Ukraine.

ChewBacca is not very sophisticated, yet it can be highly efficient when it comes to stealing payment card information from infected devices.

In order to steal card data, the malware has a memory scanner component that’s designed to target credit card processing systems. The scanner dumps a copy of the process’ memory and analyzes it for magnetic stripe data, which it extracts and logs.

“Retailers have a few choices against these attackers,” said RSA FirstWatch Senior Security Researcher Yotam Gottesman.

“They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), or they can encrypt or tokenize data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors.”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s