Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

RSA Uncovers Infrastructure Behind New Point-of-Sale Attack Operation

Researchers from RSA say they have discovered the server infrastructure behind a point-of-sale (PoS) attack campaign that has infected systems mostly in the United Sates, but also in 10 other countries including Russia, Canada and Australia.

Researchers from RSA say they have discovered the server infrastructure behind a point-of-sale (PoS) attack campaign that has infected systems mostly in the United Sates, but also in 10 other countries including Russia, Canada and Australia.

RSA’s security analysts found that in this particular operation, attackers leveraged the ChewBacca Trojan to steal Track 1 and Track 2 data from payment cards swiped through infected PoS systems dating back to Oct. 25, 2013.

The ChewBacca malware is not new, and it is not exclusively used to target POS systems. While not overly complex, the malware does have the ability to log keystrokes and scrape a system’s memory. According to RSA, the memory scanner feature dumps a copy of a process’s memory and searches it for payment card data. If a card number is found, it is extracted and logged by the server, RSA said.

POS AttacksNamed ChewBacca – after the character in Star Wars and the name given to one of its functions – Kaspersky Lab pointed out in December that the ChewBacca malware utilizes Tor’s anonymity capabilities to shield an attacker’s command and control infrastructure. 

RSA’s team also noticed the anonymity feature.

“RSA observed that communication is handled through the TOR network, concealing the real IP address of the Command and Control (C&C) server(s), encrypting traffic, and avoiding network-level detection,” Yotam Gottesman, a Senior Security Researcher at RSA, noted in a blog post. “The server address uses the pseudo-TLD “.onion” that is not resolvable outside of a TOR network and requires a TOR proxy app which is installed by the bot on the infected machine.”

 

“The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months,” Gottesman added.

The attacks have affected at least 41 companies, including one medium-sized retailer and several gas station chains, an RSA executive, who asked not to be named, told Bloomberg‘s Michael Riley. According to the executive, the attackers in this operation compromised credit-card data for about 50,000 customers.

Advertisement. Scroll to continue reading.

This campaign does NOT appear to be connected in any way to the recent attack against Target Corporation.

Earlier this month, the FBI issued a warning to U.S. retailers, saying they should prepare for more cyber attacks after discovering roughly 20 cases over the past year that involved point of sale malware. 

Additional technical details, including information on how to remove ChewBacca from an infected system, are available from RSA here.

[Updated with additional information from Bloomberg]

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.