A New I've Been Mugged Blog Feature To Fight Comments Spam
Neiman Marcus Discloses Some Details About Its Data Breach

RSA Announced "ChewBacca" Malware Attacked Retailers In 11 Countries

Global security firm RSA announced the discovery of "ChewBacca" malware attacks which targeted point-of-sale (PoS) systems in retail stores. The malware attacked and stole shoppers' credit card payment information in 11 countries, including the United States, Australia, Canada, and Russia:

"While the malware used in the operation is not new, RSA researchers discovered that, beginning October 25th, it had logged track 1 and 2 data of payment cards it had scraped from infected PoS systems."

Tracks 1 and 2, developed by the banking industry, on the magnetic stripe on your credit cards typically include the following payment information:

  • Cardholder's full name
  • Credit card number
  • Credit card expiration date
  • Country code

Track 3 of the magnetic stripe is used to store PIN, currency, authorized amounts, and other payment data for debit card transactions. It appears that a different malware version targetd both credit and debit cards via infected PoS terminals during the Target data breach. Neiman Marcus has disclosed a few details about its data breach, while Michaels Stores hase not -- so far.

The malware copied payment information from the PoS terminal's memory when the shopper's payment data was unencrypted. The malware then sent the stolen payment information to a  hidden Internet-connected server.

The Trojan was named "ChewBacca" because the sign-in page for malware users features an image of the popular character from the Star Wars films. To protect shoppers' payment data against malware like ChewBacca, RSA suggested:

"Retailers have a few choices against these attackers. They can increase staffing levels and develop leading-edge capabilities to detect and stop attackers (comprehensive monitoring and incident response), or they can encrypt or tokenize data at the point of capture and ensure that it is not in plaintext view on their networks, thereby shifting the risk and burden of protection to the card issuers and their payment processors."

So, doing nothing is not an option. Business-as-usual is not an option.


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.