RSA: Malware Impacts 45 Retailers
No Connection with Target, Neiman Marcus BreachesSecurity vendor RSA has uncovered a point-of-sale malware operation originating from the Ukraine that has stolen payment card and personal data from 45 small and midsize retailers. Some 50,000 cards were affected, RSA says.
See Also: OnDemand | Realities of Choosing a Response Provider
The malware used in these attacks is less sophisticated than what was used in the breaches at Target Corp. and Neiman Marcus and has no connection to those attacks, an RSA spokesperson tells Information Security Media Group.
Beginning Oct. 25 and ending the last week of January, when the command-and-control server went offline, the malware scraped payments card data from infected POS systems, RSA says in a blog.
The company confirms to Information Security Media Group that 45 retailers were affected, but it declines to name those that were attacked.
Impacted companies are mostly based in the U.S., although malware infection activity has been detected in 10 other countries, RSA says.
RSA has notified the Federal Bureau of Investigation regarding the malware operation, and has been in communication with the victim companies, the blog says.
ChewBacca Malware
The company's investigation has determined that the malware responsible for stealing payment card data is "ChewBacca," which it describes as a relatively new, private Trojan that features simple keylogging and memory-scraping functionality.
The memory scanner incorporated in "ChewBacca" operates by dumping a copy of a process' memory and searching it for card magnetic stripe data, RSA says. If a card number is found, the memory scraper extracts and logs it on the hackers' command-and-control server.
The command-and-control server's IP address is concealed. Also, traffic is encrypted and it avoids network-level detection, RSA says.
"The ChewBacca Trojan appears to be a simple piece of malware that, despite its lack of sophistication and defense mechanisms, succeeded in stealing payment card information from several dozen retailers around the world in a little more than two months," RSA says in the blog.
RSA recommends retailers mitigate these types of threats by developing comprehensive monitoring and incident response capabilities. Retailers also should consider encrypting or tokenizing data at the point of capture and ensure that it's not in plain text view on their networks, RSA says.