Chewbacca Malware Steals Multitude Of Data From PoS Systems
January 31, 2014

Chewbacca Malware Steals Multitude Of Data From PoS Systems

Brett Smith for - Your Universe Online

On Thursday, cybersecurity research company RSA FirstWatch disclosed evidence of online criminals targeting small retailers in eleven countries. The hackers reportedly stole information on 49,000 payment cards with a software program known as "ChewBacca" before the operation was eventually shut down.

The targeted companies were located in the United States, Russia, Canada and Australia and the hackers were able to gather information on around 24 million transactions – the cybersecurity firm said. Data was gathered from retailers’ point-of-sale (PoS) systems.

“At this time our research indicates that 119 PoS terminals within 45 unique retailers show evidence of being infected with the ChewBacca malware,” Uri Fleyder, manager of the Cybercrime Research Lab at RSA, told PC World's Nicole Kobie.

Fleyder added that 32 of the impacted retailers are based in the US and evidence of the invasion has been distributed to them. They are also being advised to report the data to their regional law enforcement authorities. According to RSA, the malware has been in use since Oct. 25.

The ChewBacca malware was first detailed by scientists from antivirus firm Kaspersky Lab in a December blog post. The malware tracks processes running on the infected system and extracts data from their memory that conforms to explicit patterns. The type of data targeted by the malware was not described at the time. However, Marco Preuss, director of Kaspersky’s Global Research and Analysis Team in Europe, said the company’s researchers thought it might be financial in nature. Since this was just speculation, it wasn’t mentioned in the company’s report.

The hackers were able to review the compromised systems and the data stolen from servers. In one instance, a server was observed being accessed from an IP address in Ukraine, Fleyder said.

Preuss said the domain the malware had been using since December has been down since Wednesday afternoon. He added that the malware might have used a different server before that, which indicates the hacking campaign progressed over time.

“The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months,” the RSA researchers said.

Curt Wilson, a senior research analyst at the cybersecurity company Arbor Networks, told PC World that most anti-malware software is currently capable to detect the ChewBacca program.

“PoS malware doesn’t need to be complicated yet, because attackers find PoS machines to be easy pickings,” Wilson said. “They were able to compromise many of their targets so far, so their malware doesn’t need to evolve.”

He added that many retail companies don’t run anti-malware software on their PoS devices.

“So far, most PoS systems have been completely unprotected,” Fleyder said. “Financially motivated fraudsters are usually searching to take advantage of the low hanging fruit and right now PoS terminals are among the easiest targets for gaining valuable financial data.”

“Retailers have a few choices against these attackers,” the RSA researchers said. “They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), or they can encrypt or tokenize data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors.”