With the Target and Neiman Marcus breach being all over the news in the last few weeks, the topic of malware that collects card data directly from Point-of-Sale devices has received renewed interest.
The PoS malware used in the former has been identified as a modified version of the BlackPOS malware, but there are other similar ones currently in use out there.
RSA researchers have recently discovered the entire server infrastructure used in a global PoS malware operation that targets retailers in the US, Russia, Canada and Australia, and have managed to access part of it.
The malware in question is the ChewBacca Trojan, which is capable of logging keystrokes and scraping the memory of PoS systems and the card magnetic stripe data they contain.
“RSA observed that communication is handled through the TOR network, concealing the real IP address of the Command and Control server(s), encrypting traffic, and avoiding network-level detection,” they noted. “The server address uses the pseudo-TLD ‘.onion’ that is not resolvable outside of a TOR network and requires a TOR proxy app which is installed by the bot on the infected machine.”
The botnet in question began its work in late October 2013, and it seems to be operated by an individual from a country in Eastern Europe.
“The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months,” the researchers noted.
“Retailers have a few choices against these attackers. They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), or they can encrypt or tokenize data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors.”