The Latest in IT Security

RSA Uncovers Infrastructure Behind New Point-of-Sale Attack Operation


Researchers from RSA say they have discovered the server infrastructure behind a point-of-sale (PoS) attack campaign that has infected systems mostly in the United Sates, but also in 10 other countries including Russia, Canada and Australia.

RSA’s security analysts found that in this particular operation, attackers leveraged the ChewBacca Trojan to steal Track 1 and Track 2 data from payment cards swiped through infected PoS systems dating back to Oct. 25, 2013.

The ChewBacca malware is not new, and it is not exclusively used to target POS systems. While not overly complex, the malware does have the ability to log keystrokes and scrape a system’s memory. According to RSA, the memory scanner feature dumps a copy of a process’s memory and searches it for payment card data. If a card number is found, it is extracted and logged by the server, RSA said.

Named ChewBacca – after the character in Star Wars and the name given to one of its functions – Kaspersky Lab pointed out in December that the ChewBacca malware utilizes Tor’s anonymity capabilities to shield an attacker’s command and control infrastructure.

RSA’s team also noticed this anonymity feature.

“RSA observed that communication is handled through the TOR network, concealing the real IP address of the Command and Control (CC) server(s), encrypting traffic, and avoiding network-level detection,” Yotam Gottesman, a Senior Security Researcher at RSA, noted in a blog post. “The server address uses the pseudo-TLD “.onion” that is not resolvable outside of a TOR network and requires a TOR proxy app which is installed by the bot on the infected machine.”

“The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months,” Gottesman added.

This campaign does NOT appear to be connected in any way to the recent attack against Target Corporation.

Earlier this month, the FBI issued a warning to U.S. retailers, saying they should prepare for more cyber attacks after discovering roughly 20 cases over the past year that involved point of sale malware.

Additional technical details, including information on how to remove ChewBacca from an infected system, are available from RSA here.


Managing Editor, SecurityWeek.Previous Columns by Mike Lennon:RSA Uncovers Infrastructure Behind New Point-of-Sale Attack OperationTarget: Attackers Used Stolen Vendor Credentials in Data BreachCross Platform Java-bot Launches DDoS Attacks from Windows, Mac and Linux MachinesCloudLock Raises $16.5 Million to Expand Enterprise Cloud Security BusinessAuthor of SpyEye Trojan Pleads Guilty

sponsored links


Fraud Identity Theft

Virus Malware


Tracking Law Enforcement


Comments are closed.



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments