Tor-enabled malware stole credit card data from dozens of retailers
Details of over 50,000 credit and debit cards have been stolen from 119 PoS terminals infected with a malware program called ChewBacca
IDG News Service - Payment card data was stolen during the past three months from several dozen retailers that had their point-of-sale systems infected with a memory-scraping malware program called ChewBacca.
The cybercriminal operation was investigated by antifraud researchers from RSA, the security division of EMC that analyzed the malware and its command-and-control infrastructure.
Most of the affected retailers are based in the U.S., but PoS infections with this malware were also detected in 10 other countries, including Russia, Canada and Australia, the RSA researchers said Thursday in a blog post.
"At this time our research indicates that 119 PoS terminals within 45 unique retailers show evidence of being infected with the ChewBacca malware," said Uri Fleyder, manager of the Cybercrime Research Lab at RSA, via email. Thirty-two of the affected retailers are based in the U.S., he said.
According to Fleyder, the ChewBacca gang infected PoS terminals located in different stores around the country and there are indications that over 50,000 unique payment cards have been compromised, including the data encoded on their magnetic strips that's captured when they're swiped at PoS terminals. This is called track 1 and track 2 data.
Fleyder declined to comment on the identities of the compromised retailers, but said the evidence is being shared with them and they're being advised to report the information to their local law enforcement authorities.
The ChewBacca malware was first documented by researchers from antivirus firm Kaspersky Lab in a December blog post. One of its most interesting features, aside from stealing payment card data from the RAM memory of PoS systems, is that it communicates with a command-and-control server over the Tor anonymity network.
The malware installs a Tor proxy client on the infected systems and connects to a server via a .onion address. The .onion pseudo-TLD is used by services that can only be accessed from within the Tor network.
The malware enumerates all processes running on the infected system and extracts information from their memory that matches specific patterns, the Kaspersky researchers said in their December report.
The type of data targeted by the malware was not specified at the time, but according to Marco Preuss, director of Kaspersky's Global Research and Analysis Team in Europe, the company's researchers suspected that it might be financial in nature. However, this was just speculation, so it wasn't mentioned in the report, he said Thursday via email.
According to the RSA researchers, the malware has been in use since Oct. 25.
Aside from the memory-scraping capability, the malware also has a keylogger component that records keyboard events and window focus changes and stores the information in a file called system.log in the Windows temporary folder. It also installs an executable file called spoolsv.exe in the Windows startup folder to ensure its persistence across system reboots, the RSA researchers said.
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Cybercrime and Hacking White Papers | Webcasts