RSA: Malware Impacts 45 Retailers

No Connection with Target, Neiman Marcus Breaches
RSA: Malware Impacts 45 Retailers

Security vendor RSA has uncovered a point-of-sale malware operation originating from the Ukraine that has stolen payment card and personal data from 45 small and midsize retailers. Some 50,000 cards were affected, RSA says.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

The malware used in these attacks is less sophisticated than what was used in the breaches at Target Corp. and Neiman Marcus and has no connection to those attacks, an RSA spokesperson tells Information Security Media Group.

Beginning Oct. 25 and ending the last week of January, when the command-and-control server went offline, the malware scraped payments card data from infected POS systems, RSA says in a blog.

The company confirms to Information Security Media Group that 45 retailers were affected, but it declines to name those that were attacked.

Impacted companies are mostly based in the U.S., although malware infection activity has been detected in 10 other countries, RSA says.

RSA has notified the Federal Bureau of Investigation regarding the malware operation, and has been in communication with the victim companies, the blog says.

ChewBacca Malware

The company's investigation has determined that the malware responsible for stealing payment card data is "ChewBacca," which it describes as a relatively new, private Trojan that features simple keylogging and memory-scraping functionality.

The memory scanner incorporated in "ChewBacca" operates by dumping a copy of a process' memory and searching it for card magnetic stripe data, RSA says. If a card number is found, the memory scraper extracts and logs it on the hackers' command-and-control server.

The command-and-control server's IP address is concealed. Also, traffic is encrypted and it avoids network-level detection, RSA says.

"The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months," RSA says in the blog.

RSA recommends retailers mitigate these types of threats by developing comprehensive monitoring and incident response capabilities. Retailers also should consider encrypting or tokenizing data at the point of capture and ensure that it's not in plain text view on their networks, RSA says.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.