ChewBacca malware hits retailers in 11 countries

News by Tim Ring

A new point of sale-based Trojan called ChewBacca has been used to steal payment card and personal customer data from dozens of retailers across 11 countries, according to RSA.

The rapid spread and ‘success' of the malware was revealed in a 30 January blog by RSA senior security researcher Yotam Gottesman and has led to calls for retail organisations to encrypt or tokenise cardholder data to keep it secure.

Gottesman said ChewBacca, which was only discovered in mid-December by researchers at Kaspersky, is behind the theft of customer data from several dozen retailers in the US, Russia, Canada, Australia and seven other countries. So far the UK remains unscathed and RSA has found no links between ChewBacca and the recent hacks at major US suppliers Target, Neiman Marcus and Michael's.

RSA would not confirm the names of the retailers affected but said they been hit between 25 October and 15 December. RSA has contacted them to share the information it has gleaned.

RSA said the ChewBacca botnet is able to collect track 1 and 2 payment card data and confirmed, significantly, that it uses the Tor network to hide the identity of the criminals behind it. However before disappearing behind Tor – the free software which protects Internet anonymity, RSA spotted its controller logging in from a country in East Europe.

ChewBacca steals data in two ways: it uses a keylogger and a memory scanner, which targets systems that process credit cards such as POS terminals. This scanner looks for card magnetic-stripe data, then when it finds it, extracts and logs it. The malware includes a control panel that lets criminals review the stolen information.

After installation, the keylogger creates a file called ‘system.log'. Based on its current findings, RSA believes that deleting this file and rebooting will effectively remove ChewBacca from an infected system.

Rashmi Knowles, chief security architect for the EMEA region at RSA, told “ChewBacca has been upgraded with Tor functionality, which enables anonymous communication, allowing IP addresses to be hidden. This version installs a Tor client on the victims' computer system, so all traffic from the cybercriminals' server to the cash register remains hidden.”

Knowles described the rapid spread of ChewBacca as “a wake-up call” for the retail industry and added that it's the latest example as to how “regulation like PCI does not make you secure.” She instead urged organisations to focus on the early detection of breaches to minimise damage and to consider encryption and tokenisation.

“An option is to examine where card numbers are being kept in plain text and look at encryption or tokenisation technologies,” she told “Cyber criminals are always going to try to be a step ahead of company's defences so they have to be prepared.”

Security expert Richard Moulds, vice president of product strategy at Thales e-Security, echoed her call for encryption.

“The ChewBacca findings simply confirm something we already know - regular PCs and servers can't be secured,” he told SC.

“In-store point of sale terminals are particularly vulnerable because they handle highly sensitive cardholder data, they exist in large numbers so are hard to manage and yet are in notoriously insecure places – the retail store.”

Moulds backed the PIN protection system as PINs are encrypted directly in the card reader as soon as they are entered by the shopper and decrypted only when absolutely necessary.

“We should extend this approach to cover all cardholder data,” Moulds said. “Encrypt or tokenise cardholder data at the point of capture and decrypt only on a need-to-know basis and only in trusted environments.

“Encryption protects data wherever it goes. It's the difference between giving data its very own bodyguard rather than relying on bouncers at every doorway the data passes through.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews