Tor-enabled malware stole credit card data from PoS systems at dozens of retailers

Details of over 50,000 credit and debit cards have been stolen from 119 PoS terminals infected with a malware program called ChewBacca

Payment card data was stolen during the past three months from several dozen retailers that had their point-of-sale systems infected with a memory-scraping malware program called ChewBacca.

The cybercriminal operation was investigated by antifraud researchers from RSA, the security division of EMC, who analyzed the malware and its command-and-control infrastructure.

Most of the affected retailers are based in the U.S., but PoS infections with this malware were also detected in 10 other countries, including Russia, Canada and Australia, the RSA researchers said Thursday in a blog post.

"At this time our research indicates that 119 PoS terminals within 45 unique retailers show evidence of being infected with the ChewBacca malware," said Uri Fleyder, manager of the Cybercrime Research Lab at RSA, via email. Thirty-two of the affected retailers are based in the U.S., he said.

According to Fleyder, the ChewBacca gang infected PoS terminals located in different stores around the country and there are indications that over 50,000 unique payment cards have been compromised, including the data encoded on their magnetic strips that's captured when they're swiped at PoS terminals. This is called track 1 and track 2 data.

Fleyder declined to comment on the identities of the compromised retailers, but said the evidence is being shared with them and they're being advised to report the information to their local law enforcement authorities.

The ChewBacca malware was first documented by researchers from antivirus firm Kaspersky Lab in a December blog post. One of its most interesting features, aside from stealing payment card data from the RAM memory of PoS systems, is that it communicates with a command-and-control server over the Tor anonymity network.

The malware installs a Tor proxy client on the infected systems and connects to a server via a .onion address. The .onion pseudo-TLD is used by services that can only be accessed from within the Tor network.

The malware enumerates all processes running on the infected system and extracts information from their memory that matches specific patterns, the Kaspersky researchers said in their December report.

The type of data targeted by the malware was not specified at the time, but according to Marco Preuss, director of Kaspersky's Global Research and Analysis Team in Europe, the company's researchers suspected that it might be financial in nature. However, this was just speculation, so it wasn't mentioned in the report, he said Thursday via email.

According to the RSA researchers, the malware has been in use since Oct. 25.

Aside from the memory-scraping capability, the malware also has a keylogger component that records keyboard events and window focus changes and stores the information in a file called system.log in the Windows temporary folder. It also installs an executable file called spoolsv.exe in the Windows startup folder to ensure its persistence across system reboots, the RSA researchers said.

On the server side, there's a control panel where attackers can review the compromised systems and the data stolen from them. One of the server's operators was seen accessing the server from an IP address in Ukraine, Fleyder said.

According to Preuss, the .onion-domain that the malware had been using since December has been offline since Wednesday afternoon. It might have used a different server before that, which suggests that the criminal campaign evolved over time, he said.

"The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months," the RSA researchers said.

Preuss agreed with that assessment, saying that from a technical point of view, the Trojan program is indeed simple and doesn't use advanced code protection or encryption methods that could impede analysis and detection.

Eighty percent of antimalware applications detect the ChewBacca malware at the moment, said Curt Wilson, a senior research analyst at Arbor Networks, a security firm that's also tracking several PoS malware campaigns.

"PoS malware doesn't need to be complicated yet, because attackers find PoS machines to be easy pickings," Wilson said. "They were able to compromise many of their targets so far, so their malware doesn't need to evolve."

Organizations don't usually run antimalware software on their PoS devices, which are seen as brittle and lack strong security controls, Wilson said. However, with all of the attention that PoS malware has been getting lately, they will become more sophisticated over time, he said.

Read more: Unprecedented spike in DDoS attacks: Arbor Networks

"So far, most PoS systems have been completely unprotected," Fleyder said. "Financially motivated fraudsters are usually searching to take advantage of the low hanging fruit and right now PoS terminals are among the easiest targets for gaining valuable financial data."

This new report about the ChewBacca attack campaign comes after recent confirmations that RAM-scraping malware was found on PoS terminals at retailers Target and Neiman Marcus, leading to the compromise of over 41 million credit card details.

The number of attacks with PoS malware has been on the rise since last year. At the beginning of December, Arbor Networks and another security firm called IntelCrawler identified several attack campaigns with different variants of a PoS RAM scraping malware called Dexter.

"Retailers have a few choices against these attackers," the RSA researchers said. "They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), or they can encrypt or tokenize data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors."

Unfortunately, implementing encryption at the point of capture -- the card readers -- often requires replacing the existing PoS terminals with newer ones that have the technology built in, something that not many retailers can afford or are willing to do.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags arbor networksdata breachAccess control and authenticationencryptionNeiman Marcusmalwarekaspersky labemcfraudTargetintrusionsecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?