Home page logo

dataloss logo Data Loss mailing list archives

ChewBacca Malware Stole 49, 000 Payment Card Details in 11 Countries
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 31 Jan 2014 13:16:39 -0700


Security researchers have discovered that a piece of malware named after
the Star Wars character Chewbacca has been used to steal payment card and
personal information 49,000 payment cards stored by 45 retailers in 11

Details from the payment cards were stolen from 24 million payment card
transactions over two months, according to researchers from security
company RSA.

The attack, which began on 25 October 2013, was mostly concentrated on US
retailers, but the infection has also been detected in 10 other countries
including Canada, Australia and Russia.

US retailer Target was recently the victim of a wide-scale security breach
in its stores, when payment data relating to 40 million credit and debit
cards, as well as 70 million customer records were stolen between 27
November and 15 December 2013.


In the Target case, cybercriminals installed RAM scraper malware on
Target's point-of-sale (POS) cash register systems that was capable of
stealing information directly from the memory of the computer system.

RSA has not revealed how the malware gets installed on the computer systems
linked to the retailers' cash registers, but it is typical that this
malware is attached to phishing emails aimed at luring unsuspecting
employees at these retailers into downloading and installing the software.

The ChewBacca malware contains a keylogger to record all keyboard inputs
and windows that are opened on a victim's PC, as well as a memory scanner
that scans all the information being processed in the memory of the cash
register's computer system, looking for credit card payment details that
are logged in the computer when the magnetic strip on the card is swiped
(known as Track 1 and Track 2 data).

The malware then grabs the card number and logs it on the criminal's server.

TOR functionality

ChewBacca was first spotted by Kaspersky Lab researchers in December, but
what makes this version of the malware unique is that it has added Tor

The private Tor network enables anonymous online communications and is
often used by cybercriminals to hide their IP addresses. The new variant of
the ChewBacca malware installs a Tor client onto the victim's computer
system so that all traffic is hidden from the criminals' server to the cash

According to Kaspersky, this malware is not currently being marketed by its
creator for sale on underground forums.

"The ChewBacca Trojan appears to be a simple piece of malware that, despite
its lack of sophistication and defence mechanisms, succeeded in stealing
payment card information from several dozen retailers around the world in a
little more than two months," RSA said in the blog post.

"Retailers have a few choices against these attackers. They can increase
staffing levels and develop leading-edge capabilities to detect and stop
attackers (comprehensive monitoring and incident response), or they can
encrypt or tokenise data at the point of capture and ensure that it is not
in plaintext view on their networks, thereby shifting the risk and burden
of protection to the card issuers and their payment processors."
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 


Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!

  By Date           By Thread  

Current thread:
  • ChewBacca Malware Stole 49, 000 Payment Card Details in 11 Countries Audrey McNeil (Feb 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]