back to article ChewBacca point-of-sale keylogger SLURPS your CREDIT CARD data

Point-of-sale malware dubbed ChewBacca has hit dozens of small retailers in 11 countries as far apart as the US, Russia, Canada and Australia. Researchers at RSA Security have put the ChewBacca Trojan under microscope revealing much more information about a strain of malware targeted at retailers that, whilst not new for …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward


    'The server address uses the pseudo-TLD “.onion” that is not resolvable outside of a Tor network'

    Until ICANN sells it to the highest bidder.

    1. Destroy All Monsters Silver badge

      Re: ICANN

      But that wouldn't matter, would it? It is ANOTHER UNIVERSE entirely.

  2. Mark 85 Silver badge

    NSA? GCHQ?

    Just another way to get funding for very black ops?

    Maybe I'm just being paranoid but nothing is surprising me lately in the malware area.

  3. Sir Runcible Spoon


    A good question to ask the owners of the PoS machines is

    "Why the fuck are your PoS machines allowed to communicate with the outside world - and TOR! FFS get a clue."

    or words to that effect.

    I can appreciate that it can be hard to stop this shit getting onto your machines running XPsp1 but you can at least stop the buggers phoning home with all the goodies.

    1. Alister

      Re: Sir

      Sir, how the fuck do you expect a PoS machine to work if it can't talk to the outside world?

      1. Fatman

        Re: Sir

        Sir, how the fuck do you expect a PoS machine to work if it can't talk to the outside world?

        Go OLD SCHOOL, and use only the ones that dial a telephone number to complete a transaction.

        The majority of those types DO NOT respond to an incoming call on the connected line; thus, the ONLY TIME they are exposed to the outside world is during a transaction, and at the end of the day when the day's totals are sent.

        The biggest problem with most "modern" POS systems is that they often use a POS operating system (aka WindblowZE), which we all know is easily FUCKED.

        1. jonathanb Silver badge

          Re: Sir

          Dial-up will add about 20-30 seconds to the transaction time. That may not sound like a lot, and it isn't if only one person waits that long, but when you have a whole queue of people at the till, it reduces the number of people that till can serve per day.

          1. Stacy

            Re: Sir

            Why can it connect to any IP it wants to, where is the firewall that says it can only connect to one single IP address?

            Surely this is the first thing that should be done with these machines. It has no reason to need any IP other than the one of the bank it talks to.

            Kind of how any coupling should be set up!

            1. Destroy All Monsters Silver badge

              Re: Sir

              Them VPNs, them dry VPNs!!

            2. dan1980

              Re: Sir


              Why can it connect to any IP? Because in small retailers (as this particular attack appears to target) the POS is usually connected to a commodity PC running Windows with a software stack for the actual card reader. The PC itself may have other software installed such as links with inventory management software.

              In short, it's a basic, commodity PC without any specific security.

              I'm not saying it's a good situation, but in contracting work for a friend's company, I saw retail staff browsing the Internet on POS PCs. This malware appears to be targeted at these types of machines.

              1. Stacy

                Re: Sir

                I'm not blaming the shops here - this is something that is not their area of expertise.

                The vendors for the POS (how appropriate that the acronym works both ways...) software should ensure that their systems have at least basic security. Actually, they should ensure they are bloody secure!

                Using the excuse that it is a bog standard PC is no excuse.

        2. Ugotta B. Kiddingme

          Re: Sir @ Fatman

          dial-up won't necessarily solve anything. At least here in the US, many home and business users have moved from PSTN to IP Telephony. And even those who haven't still aren't fully protected from "the outside world." Many of the larger carriers have at least some of their traffic routed via cloudy bits so, even if you shun IPT you may still be at least minimally exposed to it.

          Yes, most large (i.e. well staffed/trained) organizations have a measure of control over this, but your average small shop owner doesn't have that kind of expertise or access.

      2. Sir Runcible Spoon

        Re: Sir


        I didn't say anything about the PoS machines working that out, I was rather assuming that there would be a firewall involved somewhere along the line, something a bit of malware might have a bit more trouble pwning.

  4. Mage

    We already have a solution for protecting PIN

    Ha ha

    The PIN isn't protected and it may be irrelevant.

    1) The reader can be swapped.

    2) It only asks Card if PIN is OK, so a fake card says "OK" to ANY PIN, or PIN of your choice.

    3) I've only ever been asked for PIN in Retail (see point (2)) never online.

    1. Anonymous Coward
      Anonymous Coward

      Re: We already have a solution for protecting PIN

      Ok, we've been here before, but:

      When you say "The Reader" do you mean the PED? if you do, it may be directly swapped, maybe with other hardware in a replica box, but it's not going to be able to talk to the POS driver layer.

      You correctly state that the PIN is stored on the card, and that the card usually just says "yes" or "no", however this is done by means of an encrypted communication which has to be signed with the correct keys. How do you propose a fake card would be able to do this?

      You wouldn't have been asked for a PIN online, that's not the job of chip and PIN. You will, however not be able to make a chip and PIN card from the information obtained online because - even if you could create the encryption layer in the chip - the account number used by the chip and PIN part of the card is different to that which is stamped across it.

This topic is closed for new posts.

Other stories you might like