Categories: Workspace

Retailers Hit By ‘ChewBacca’ Malware

A criminal group has used custom-built malicious software, named “ChewBacca”, to infect systems at more than 45 retailers and steal their customers’ credit- and debit-card details, according to an analysis published by security firm RSA.

Once installed, the ChewBacca malware monitors the memory of running processes and checks for data that matches the format of credit and debit cards. The software, also known as a RAM scraper, is similar, but not identical, to the one used in the attacks that stole 40 million payment-card accounts from Target and more than a million accounts from Neiman Marcus, Uri Fleyder, cyber-crime research lab manager at RSA, told eWEEK.

Point-of-sale keylogger

“It is a keylogger, but, besides being that, it is also targeting POS (point-of-sale) terminals,” he said. “We reverse engineered the malware and found that it was searching for credit-card numbers.”

The attacks on Target and Neiman Marcus have highlighted the danger of malware that targets point-of-sale systems. While payment card details are encrypted when stored and being communicated, the information is decrypted in the POS terminal’s memory, giving programs that can access that memory a perfect way to bypass the security surrounding the card numbers.

The attacks on retailers using ChewBacca appear to date back to October 2013, according to RSA’s analysis.

The malware appears to be used by a single group, likely based in the Ukraine, that has targeted retailers for their lax security, he said. While POS systems are typically dedicated to processing payments at retailers, they are – in all other ways – standard computers, usually running an outdated operating system, such as Windows XP.

“Those terminals are practically unprotected,” Fleyder said. “I don’t know why but the retailers do not pay much attention to their point-of-sale terminals.”

The ChewBacca malware was first mentioned in a blog post by security firm Kaspersky Lab, who analysed the malware and discovered that it used the TOR network to mask its traffic. The TOR network is a peer-to-peer network designed to anonymise communications and enhance privacy. In September 2013, the Mevade botnet began using the Tor network to obfuscate its communications, causing a massive spike in traffic on the network.

Retailers infected

The ChewBacca malware lacks sophistication and has no defensive measures to help it hide from reverse engineers, but it was still able to infect a large number of retailers, RSA’s Fleyder said. In its analysis, the company stressed that retailers, who lack security expertise, have a hard time defending against cyber-attacks.

“They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers – (such as) comprehensive monitoring and incident response – or they can encrypt or tokenise data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors,” the company stated.

Are you a security pro? Try our quiz!

Originally published on eWeek.

Robert Lemos

Robert Lemos covers cyber security for TechWeekEurope and eWeek

Recent Posts

Amazon Alexa Recovers After Morning Outage

Alexa wake up alarm didn't work this morning? Smart lights didn't turn on? Outage of…

23 hours ago

UK, Australia Reach Cyber, Critical Tech Agreement

Australia says it will 'fight back' against nation state cyberattacks, after agreements with the UK…

24 hours ago

Italian Regulator Recalculates Apple, Amazon Fines

Italian regulator admits it has redetermined the fines against Apple and Amazon, over the sale…

2 days ago

Red Cross ‘Appalled’ As Hackers Steal Humanitarian Data Of 515,000 People

A new low. International Committee of the Red Cross shuts down reunification system, after hackers…

2 days ago

Russia Proposes Ban On Cryptocurrencies, Crypto Mining

Russia's central bank has this week proposed the banning on the use and mining of…

2 days ago