point-of-sale – SurfWatch Labs, Inc.

Weekly Cyber Risk Roundup: Payment Card Breaches, Encryption Debate, and Breach Notification Laws

This past week saw the announcement of several new payment card breaches, including a point-of-sale breach at Applebee’s restaurants that affected 167 locations across 15 states.

The malware, which was discovered on February 13, 2018, was “designed to capture payment card information and may have affected a limited number of purchases” made at Applebee’s locations owned by RMH Franchise Holdings, the company said in a statement.

News outlets reported many of the affected locations had their systems infected between early December 2017 and early January 2018. Applebee’s has close to 2,000 locations around the world and 167 of them were affected by the incident.

In addition to Applebees, MenuDrive issued a breach notification to merchants saying that its desktop ordering site was injected with malware designed to capture payment card information. The incident impacted certain transactions from November 5, 2017 to November 28, 2017.

“We have learned that the malware was contained to ONLY the Desktop ordering site of the version that you are using and certain payment gateways,” the company wrote. “Thus, this incident was contained to a part of our system and did NOT impact the Mobile ordering site or any other MenuDrive versions.”

Finally, there is yet another breach notification related to Sabre Hospitality Solutions’ SynXis Central Reservations System — this time affecting Preferred Hotels & Resorts. Sabre said that a unauthorized individual used compromised user credentials to view reservation information, including payment card information, for a subset of hotel reservations that Sabre processed on behalf of the company between June 2016 and November 2017.

Other trending cybercrime events from the week include:

Marijuana businesses targeted: MJ Freeway Business Solutions, which provides business management software to cannabis dispensaries, is notifying customers of unauthorized access to its systems that may have led to personal information being stolen. The Canadian medical marijuana delivery service JJ Meds said that it received an extortion threat demanding $1,000 in bitcoin in order to prevent a leak of customer information.
Healthcare breach notifications: The Kansas Department for Aging and Disability Services said that the personal information of 11,000 people was improperly emailed to local contractors by a now-fired employee. Front Range Dermatology Associates announced a breach related to a now-fired employee providing patient information to a former employee. Investigators said two Florida Hospital employees stole patient records, and local news reported that 9,000 individuals may have been impacted by the theft.
Notable data breaches: Ventiv Technology, which provides workers’ compensation claim management software solutions, is notifying customers of a compromise of employee email accounts that were hosted on Office365 and contained personal information. Catawba County services employees had their personal information compromised due to the payroll and human resources system being infected with malware. Flexible Benefit Service Corporation said that an employee email account was compromised and used to search for wire payment information. A flaw in Nike’s website allowed attackers to read server data and could have been leveraged to gain greater access to the company’s systems. A researcher claimed that airline Emirates is leaking customer data.
Other notable events: Cary E. Williams CPA is notifying employees, shareholders, trustees and partners of a ransomware attack that led to unauthorized access to its systems. The cryptocurrency exchange Binance said that its users were the target of “a large scale phishing and stealing attempt” and those compromised accounts were used to perform abnormal trading activity over a short period of time. The spyware company Retina-X Studios said that it “is immediately and indefinitely halting its PhoneSheriff, TeenShield, SniperSpy and Mobile Spy products” after being “the victim of sophisticated and repeated illegal hackings.”

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.

Cyber Risk Trends From the Past Week

There were several regulatory stories that made headlines this week, including the FBI’s continued push for a stronger partnership with the private sector when it comes to encryption, allegations that Geek Squad techs act as FBI spies, and new data breach notification laws.

In a keynote address at Boston College’s cybersecurity summit, FBI Director Christopher Wray said that there were 7,775 devices that the FBI could not access due to encryption in fiscal 2017, despite having approval from a judge. According to Fry, that meant the FBI could not access more than half of the devices they tried to access during the period.

“Let me be clear: the FBI supports information security measures, including strong encryption,” Fry said. “Actually, the FBI is on the front line fighting cyber crime and economic espionage. But information security programs need to be thoughtfully designed so they don’t undermine the lawful tools we need to keep the American people safe.”

However, Ars Technica noted that a consensus of technical experts has said that what the FBI has asked for is impossible.

In addition, the Electronic Frontier Foundation obtained documents via a Freedom of Information Act lawsuit that revealed the FBI and Best Buy’s Geek Squad have been working together for decades. In some cases Geek Squad techs were paid as much as $1,000 to be informants, which the EFF argued was a violation of Fourth Amendment rights as the computer searches were not authorized by their owners.

Finally, the Alabama senate unanimously passed the Alabama Breach Notification Act, and the bill will now move to the house.

“Alabama is one of two states that doesn’t have a data breach notification law,” said state Senator Arthur Orr, who sponsored Alabama’s bill. “In the case of a breach, businesses and organizations, including state government, are under no obligation to tell a person their information may have been compromised.”

With both Alabama and South Dakota recently introducing data breach notification legislation, every resident of the U.S. may soon be protected by a state breach notification law.

Weekly Cyber Risk Roundup: More Payment Card Breaches and Dark Web Arrests

Payment card breaches were back in the news again this week as Forever 21 announced that it is investigating a point-of-sale breach (POS) at some of its stores, and several other organizations issued breach announcements related to stolen payment card data.

Forever 21 said that it received a report from a third party about potential unauthorized access to payment cards at some of the company’s stores, and the ongoing investigation is focusing on POS transactions made in stores between March 2017 and October 2017.

“Because of the encryption and tokenization solutions that Forever 21 implemented in 2015, it appears that only certain point of sale devices in some Forever 21 stores were affected when the encryption on those devices was not in operation,” the company wrote.

In addition, organizations continue to submit breach notification letters to various state attorneys general regarding the previously disclosed breach involving Sabre Hospitality Solutions SynXis Central Reservations system, including The Whitehall Hotel and JRK Hotel Group, both of which were impacted from August 10, 2016, through March 9, 2017. The Register also reported that Jewson Direct is notifying customers that their personal and payment card information may have been compromised due to the discovery of unauthorized code on its website. However, the company said the inclusion of card data in the notification was only “an advisory measure” as the investigation is ongoing.

The recent breaches, as well as other breaches such as Sonic, may have led to an increase in payment card fraud activity in the third quarter of 2017. Fraud activity is also expected to increase as consumers buy gift cards and other items over the holiday shopping season.

Other trending cybercrime events from the week include:

Organizations expose data: Researchers discovered a publicly exposed Apache Hive database belonging to ride-hailing company Fasten that contained the personal information of approximately one million users as well as detailed profiles of its drivers. A researcher said the Chinese drone maker DJI has exposed a variety of sensitive information via GitHub for up to four years, in addition to exposing customer information via insecure Amazon S3 buckets. Researchers discovered two insecure Amazon S3 buckets appearing to belong to the Australian Broadcasting Corporation’s commercial division, including information regarding production services and stock files. The Maine Office of Information Technology said that approximately 2,100 residents who receive foster care benefits had their personal information temporarily posted to a public website after an employee at contractor Knowledge Services uploaded a file containing their data to a free file-comparison website without realizing that the information would become publicly accessible. Dignity Health is notifying employees that some of their personal information was accidentally exposed to other employees.
Employee email accounts compromised: ClubSport San Ramon and Oakwood Athletic Club is notifying employees that their W2 and tax statements were sent to a malicious actor following a phishing attack impersonating an executive. ABM Industries Incorporated is notifying employees that their personal information may have been compromised due a phishing attack that led to multiple email accounts being compromised. Saris Cycling Group is notifying employees that their personal information may have been compromised due a phishing email that led to an employee email account being compromised.
Extortion-related attacks: The website of Cash Converters was hacked, and the actors behind the attack said they would release the data of thousands of UK consumers unless a ransom is paid. Little River Healthcare Central Texas is notifying patients of a ransomware attack that may have accessed their information and led to some data being irretrievably deleted when the clinic tried to restore the files. Far Niente Winery is notifying individuals of a ransomware attack that may have compromised their personal information.
Other notable incidents: A group associated with Anonymous hacked the email accounts of an employee of Italy’s Defence Ministry and a member of the Italian police and then published a variety of information allegedly obtained from those accounts. Officials from Catawba County, North Carolina, said that malware shut down a number of county servers and caused temporary interruptions in service, as well as a number of spam emails being sent to county residents. Gallagher NAC is notifying individuals that their personal information may have been compromised due to “a small amount of data” being stolen from a database between June 18 and September 19. CafeMom is notifying customers that email addresses and passwords used to create accounts prior to July 2011 were compromised “at some point in the past.” AppDirect said that a phisher has been impersonating members of the company’s human resources, recruiting, and sales teams on job sites, and several people have applied to those fake listings and received fake job offers.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

Cyber Risk Trends From the Past Week

Dark Web markets continued to make headlines this week as a key player in AlphaBay’s operations was charged and cyber-attacks against other still-active dark web marketplaces temporarily disrupted operations.

Federal prosecutors allege that Ronald L. Wheeler III, of Streamwood, Illinois, worked as a spokesperson for the now-shuttered Dark Web marketplace AlphaBay. AlphaBay had grown to become the largest-ever Dark Web marketplace before it, along with the popular Hansa Market, were taken offline by law enforcement this past summer.

Wheeler is accused of working alongside Alexandre Cazes, a 25-year-old Canadian who was alleged to be the owner of AlphaBay known as “Alpha02.” Cazes reportedly committed suicide in his Thai jail cell a week after being arrested in July.

The Associated Press reported that Wheeler has pleaded not guilty to the AlphaBay-related charges, but prosecutors allege that he worked with Cazes using the name “Trappy” to moderate the AlphaBay forum on reddit, mediate sales disputes, and provide other non-technical assistance to users.

As SurfWatch Labs previously reported, the downfall of AlphaBay and Hansa Market elevated Dream Market to the temporary king of the Dark Web. However, Dream Market other popular markets have been the target of DDoS attacks over the past few weeks, making the sites difficult to access for some users. Those attacks can delay purchases beyond the already congested list of pending Bitcoin transactions, which is slowing down both legitimate and criminal transactions.

Prior to being seized, AlphaBay had grown to accept multiple payment options, including Ethereum and Monero; however, Dream Market still only accepts Bitcoin, and that restriction may help push some users towards other markets that have more, and quicker, payment options as the Dark Web marketplace continues to evolve in AlphaBay’s absence.

Sonic Investigates Breach, 5 Million Cards For Sale on Cybercriminal Market

The fast-food chain Sonic said yesterday that it is investigating a possible payment card breach at its stores, and security blogger Brian Krebs reported that the incident may be tied to a batch of five million fresh payment cards being offered for sale on the stolen credit card shop known as Joker’s Stash.

Sonic said its payment card processor informed the company last week of unusual activity regarding cards used at its stores. Krebs reported that two sources purchased a handful of payment cards from the batch of five million credit and debit cards listed on Joker’s Stash, and those sources said the stolen cards had all been recently used at Sonic locations.

A Sonic spokesperson said that the breach investigation is still in its early stages and it is unclear how many of the company’s nearly 3,600 locations may have been impacted.

2017-09-27_SonicBreachJokersStash — Cybercriminal markets like Joker’s Stash often allow the filtering of stolen payment cards based on various options such as location, which allows malicious actors to target affluent areas or to buy cards located near them so that fraudulent transactions are harder to detect.

“It remains unclear whether Sonic is the only company whose customers’ cards are being sold in this particular batch of five million cards at Joker’s Stash,” Krebs wrote. “There are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.”

Fast food chains have been at the center of some of the most impactful and widely discussed payment card breaches over the past several years. In July 2016, Wendy’s announced that more than 1,000 stores were affected by point-of-sale malware, leading the fast-food chain to become the top trending company tied to a payment card breach last year. Likewise, Arby’s point-of-sale breach is the top trending consumer goods payment card breach of 2017, and other major restaurant chains such as Chipotle and Shoney’s have announced similar breaches this year.

2017-09-27_ConsumerGoodITT — Arby’s is the top trending consumer good target associated with payment card cybercrime so far this year, although it remains to be see how impactful the Sonic breach will be.

An interesting breach announcement trend in 2017 is the attempt to obfuscate the total number of breached locations behind clunky websites that divide the affected locations into searches not just by state, but by city. Case in point, the breach lookup webpage provided by Arby’s, which mimics the cumbersome and now-defunct webpage set up by InterContinental Hotels Group (IHG) for its recent breach. The IHG website divided the affected locations across hundreds of individual cities, and that tool, along with the news that IHG would update the list as more hotels confirmed breaches, meant frequent travelers had to comb through numerous searches repeatedly in order to find out if they were impacted by a single breach.

The Wendy’s breach, which affected franchise locations serviced by a third-party payment provider, was particularly painful for financial institutions as some locations were re-compromised after initially clearing the malware — leading to customer payment cards having to be re-issued multiple times. The Arby’s breach, by contrast, was caused by malware placed on systems inside corporate stores rather than franchise locations.

It’s unclear at this point which Sonic stores were affected, but the a 2016 report to stockholders said that 3,212 of the company’s 3,557 locations are franchised. The company also announced in 2014 that it was rolling out a new point-of-sale system and proprietary point-of-personalized service technology based on a Micros Oracle platform. In April 2017 it was reported that the update had made its way to 77 percent of Shoney’s locations.

Weekly Cyber Risk Roundup: Chipotle and Kmart Announce POS Breaches

Payment card breaches were back in the news this week as both Chipotle and Kmart announced point-of-sale breaches affecting a number of locations.

The Chipotle incident, which was first disclosed on April 25, appears to be the larger of the two breaches. A recent company update on the breach said it now includes most of the company’s 2,250 locations. The restaurants were affected by point-of-sale malware for various periods of time between March 24 and April 18.

The infection was made worse by Chipotle’s decision not to adopt EMV payment technology due to concerns that the upgrades would “slow down customer lines,” according to a recent class-action lawsuit filed over the breach.

The Kmart investigation is currently ongoing, so it’s unclear how many of the company’s 735 locations are affected; however, it may be less impactful than a similar point-of-sale malware infection in 2014 since all of Kmart’s stores were EMV ‘Chip and Pin’ technology enabled during the time of the most recent breach, the company said in its press release.

“We believe certain credit card numbers have been compromised,” Kmart’s parent company Sears Holdings said in a statement. “Nevertheless, in light of our EMV compliant point-of-sale systems, which rolled out last year, we believe the exposure to cardholder data that can be used to create counterfeit cards is limited. There is also no evidence that kmart.com or Sears customers were impacted.”

Other trending cybercrime events from the week include:

Top Secret information exposed to public: Top Secret information related to the U.S. National Geospatial-Intelligence Agency (NGA), a combat support and intelligence agency housed within the Department of Defense (DoD), was exposed to the public via an unsecured Amazon Web Services “S3” bucket that required no credentials to gain access. Security researcher Chris Vickery and other Upguard researchers said the now-secured data set points to NGA contractors Booz Allen Hamilton (BAH) and industry peer Metronome. The data discovered included information that would ordinarily require a Top Secret-level security clearance from the DoD as well as plaintext credentials that granted administrative access to at least one data center’s operating system and what appeared to be Secure Shell (SSH) keys of a BAH engineer.
Healthcare breaches due to unauthorized sites, third-parties: Children’s Mercy said that patient information was compromised due to an unauthorized website operated by a physician that was created as an educational resource but did not have proper security controls in place. Adventist Health Tehachapi Valley said that 714 patients who used its vendor Fast Health to pay bills online to Tehachapi Valley Healthcare District and Adventist Health may have had their payment card details compromised due to unauthorized code on a server that was designed to capture payment card information.
Extortion attacks continue: A hacking group calling themselves “Tsar Team” has published more than 25,000 private photos and other personal data from patients of the Grozio Chirurgija clinic in Lithuania. The hackers broke into the servers of the cosmetic surgery clinic earlier this year and demanded ransoms from the clinic’s clients in more than 60 countries around the world. The blackmail ranged between €50 and €2,000 worth of bitcoin, authorities said, with nude photos, passport scans, and other sensitive data being used to ramp up the ransom demands. A hacking group known as “RavenCrew” has claimed responsibility for the hack of customer data from the ticketing platform Qnect and subsequent SMS messages that were sent to the company’s customers urging them to pressure co-founder Ryan Chen and chief technology officer Ruslan Starikov into paying the ransom. It’s believed the hackers may have exploited a security hole recently noticed by a customer.
Other notable breaches: OneLogin, a company that allows users to manage logins to multiple sites and apps all at once, announced it had experienced a breach that impacts all customers served by the company’s U.S. data center. Old Mutual said the personal information of “a relatively small group” of customers in South Africa was compromised due to unauthorized access to one of its systems. Camberwell High School in Melbourne announced a data breach due to a student gaining unauthorized access to the school management software Compass and accessing the personal information of families. The incident is similar to a breach at Blackburn High School involving the Compass system that occurred two weeks ago. Augusta University said that a phishing attack led to unauthorized access to faculty email accounts and that as a result less than one percent of patients had their personal information exposed.

Cyber Risk Trends From the Past Week

TheShadowBrokers continued to make headlines over its new subscription exploit service this past week. The hacking group said that it will release its first “dump” of planned monthly exploits and/or data to its subscribers in early July – for approximately $24,000.

Those who want to join the dump service must pay 100 ZEC (Zcash) by the end of June. The group said it has not yet decided what will be in its first dump, although it previously teased that such dumps could include:

web browser, router, and handset exploits and tools,
select items from newer Ops Disks, including newer exploits for Windows 10,
compromised network data from more SWIFT providers and central banks,
and compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs.

The group wrote that the monthly dump service is “for high rollers, hackers, security companies, OEMs, and governments.”

After TheShadowBrokers’ announcement, a crowdfunding campaign was started to help researchers and organizations purchase the upcoming July exploit dump; however, two days later the researchers behind the effort, England-based security researcher Matthew Hickey (aka Hacker Fantastic) and the French security researcher known as x0rz, cancelled the campaign citing legal reasons.

“What we tried with @hackerfantastic was a bet we could somehow get early access to help vendors and open-source software fix the bugs before any public release, that means making the 0days a little less toxic that it could have been if released (from 0day to 1day, still powerful but less efficient),” x0rz wrote. “I guess now we should only spectate what will happen next, like we did before. It’s unfortunate but that’s the way it ought to be.”

x0rz believes that TheShadowBrokers may still publicly release the dump because the group is “not here for the money and are really just seeking media coverage.” However, we’ll all have to wait until next month and see exactly what the group has to offer and – if it follows through on its promise – how damaging its monthly exploit and data dumps can potentially be for organizations.

Behind the Scenes of a $170 Million Payment Card Fraud Operation

On Friday, 32-year-old Russian hacker Roman Seleznev was sentenced to 27 years in prison for running a cybercriminal operation that stole millions of payment cards, resulting in at least $169 million in damages to small business and financial institutions. It’s the longest sentence ever issued in the U.S. for cybercrime, and the court documents and testimony that led to the sentence revealed the inner workings of a decade-long operation that helped to grow and evolve payment card fraud into what it is today.

Earlier this month, in documents urging the judge to issue a lengthy sentence, the prosecution said Seleznev may have harmed more victims and caused more financial losses than any other defendant that ever appeared before the court:

“Seleznev is the highest profile long-term cybercriminal ever convicted by an American jury. His criminal conduct spanned over a decade and he became one of the most revered point-of-sale hackers in the criminal underworld. … Unlike smaller players in the carding community, Seleznev was a pioneer in the industry. He was not simply a market participant – he was a market maker whose automated vending sites and tutorials helped grow the market for stolen card data.”

In total, the government was able to identify 2,950,468 unique credit card numbers that Seleznev stole, possessed, or sold related to more than 500 U.S. business, subsequently affecting 3,700 financial institutions around the world. And — as the government pointed out — that is just the known losses.

Driving Small Businesses to Bankruptcy

Photo of money taken from Seleznev’s iPhone, which was confiscated upon his arrest in July 2014. In addition, the laptop in his possession at that time contained more than 1.7 million stolen credit card numbers.

As we wrote when Seleznev was convicted on 38 of the 40 counts he faced last year, many of the organizations he targeted were small businesses, and the testimony of seven of those businesses were heard in the court case.

Seattle’s Broadway Grill has perhaps been the most publicized of the point-of-sale breaches. Owner CJ Saretto testified that bad publicity from the breach instantly reduced the restaurant’s revenue by 40 percent and eventually forced him to “walk away from the business, shutter the doors, [and file] personal bankruptcy.” Other owners testified that the effect on business was “horrendous,” that the breach forced them into heavy debt, and that business “has never been the same” since the incident.

It’s no coincidence those that testified in the case against Seleznev were small business owners. Seleznev tended to target small businesses in the restaurant and hospitality industry, particularly if they had poor password security around their point-of-sale devices.

Seleznev “developed and used automated techniques, such as port scanning, to identify retail point of sale computer systems … that were connected to the Internet, that were dedicated to or involved with credit card processing, and that would be vulnerable to criminal hacks,” the indictment stated.

“He quickly learned that many of these businesses’ point of sale systems were remotely maintained by vendors with poor password security,” the government said in its sentencing memorandum. “Because most of his victims were small businesses, they were unlikely to have in-house IT or security personnel. As a result, these companies made extremely attractive targets for someone with Seleznev’s skills as a hacker.”

Track2, Bulba, 2Pac, and POS Dumps

However, Seleznev went far beyond merely stealing payment card information, he also helped to develop and operate websites to market the stolen data and promote more individuals to get into payment card fraud. Seleznev was 18 years old when he began participating in the Russian underground “carding” community under the alias “nCuX,” and seven years later, in 2009 when the U.S. Secret Service tried and failed to coordinate his arrest, he had become a major provider of stolen credit card data, according to court documents.

Just three months after being tipped off to the potential arrest by contacts inside the FSB and retiring his “nCuX” alias, Seleznev was back in the game under the name “Track2.” He soon unveiled two new automated vending websites, “Track2” and “Bulba,” which allowed buyers to to automatically search and purchase his stolen credit card data by using filters such as a particular financial institution or card brand.

2017-04-26_SeleznevBulba — Screenshot of Bulba, an automated vending website used by Seleznev to buy and sell stolen payment card information.

Those features have become commonplace now, but as the prosecution noted, it was “a major innovation” at the time and the “Track2 and Bulba websites achieved instant success.”

“[The sites] made it possible for criminals to efficiently search for and purchase stolen credit card data through a process as easy as buying a book on Amazon,” the prosecution wrote. “Automated vending sites increased the efficiency [of] credit card data trafficking, and remain the gold standard for credit card trafficking to this day.”

2017-04-26_AlphaBayCarding — The popular dark web marketplace AlphaBay adopted a similar automated shop for stolen payment card information in May 2015, but it includes more search options and a more user-friendly interface than Seleznev’s 2009 Bulba site.

In April 2011, Seleznev was injured in a terrorist bombing in Marrakesh, Morocco, and hospitalized for several months. His co-conspirators ran the Track2 and Bulba websites in his absence until they closed up shop in January 2012 citing no new dumps to sell.

Once again, Seleznev choose to return to cybercrime by innovating his operations. Switching monikers to “2Pac,” he launched a new automated vending site that would not only sell his stolen data but would offer stolen cards from “the best sellers in one place.” Seleznev would take a portion of the proceeds for each sale, and he used this model to resell credit data stolen in popular breaches such as Target, Michaels, and Nieman Marcus on the 2Pac site.

2017-04-26_SeleznevATMDump — Someone chatting with Seleznev trying to get payment card data stolen via ATM skimmers listed on the 2Pac site.

In addition, Seleznev needed a continuous stream of dumps and customers to fuel his 2Pac site, so he began teaching others the basics of payment card fraud via a sister site, called “POS Dumps.”

2017-04-26_Seleznev2PacTutorial — The POS Dumps site linked to the 2Pac site and walked wannabe fraudsters through the steps necessary to become a criminal.

The POS Dumps website contained four categories to teach amateurs how to successfully commit payment card fraud:

Choosing and buying equipment
Choosing and buying dumps
How to generate Track1 and why it is needed
Writing the dumps onto cards

The website even had links to eBay to purchase the necessary equipment (an MSR206 manual swipe magnetic card reader/writer) and custom malware to help write the stolen payment card data onto other cards.

2017-04-26_SeleznevTheJERM — POS Dumps provided a “comprehensive” program to interface with the MSR206 magnetic reader/writer to help wannabe cybercriminals commit fraud.

The prosecution wrote that the POS Dumps website “trained thousands of new criminals in the basics of how to use the data to commit fraud.” Similar types of tutorials related to fraud and cybercrime remain among the most commonly listed items on dark web markets today, according to SurfWatch Labs’ data.

A Record 27-Year Prison Sentence

2017-04-26_SeleznevGuidelines — The prosecution argued that the U.S. sentencing guidelines stated that “unauthorized charges … shall not be less than $500 per access device.” Therefore, Seleznev’s 2.9 million stolen credit cards equated to more than $1.4 billion in losses.

Court documents from the defense called the long prison sentence “draconian.” However, Seleznev clearly knew his actions could have serious consequences. He monitored the U.S. court’s PACER system for any criminal indictments against him, and when agents arrested him in the Maldives as he attempted to board a plane in 2014, he immediately asked if the U.S. had an extradition treaty. The U.S. did not have a formal treaty with the Maldives, but an agreement was obtained in the days prior to take custody of Seleznev.

The prosecution described Seleznev’s sentencing guideline calculation as “literally off the charts.” A score of 43 recommends a life sentence, and Seleznev scored 16 points above that — a 59.

The judge agreed with the prosecution and sentenced Seleznev to 27 years in prison last Friday.

“The notion that the Internet is a Wild West where anything goes is a thing of the past,” said U.S. Attorney Annette L. Hayes. “As Mr. Seleznev has now learned, and others should take note – we are working closely with our law enforcement partners around the world to find, apprehend, and bring to justice those who use the internet to steal and destroy our peace of mind. Whether the victims are multi-national banks or small pizza joints, we are all victims when our day-to-day transactions result in millions of dollars ending up in the wrong hands.”

Weekly Cyber Risk Roundup: Payment Card Data at Risk Due to POS Breaches and Ecommerce Vulnerabilities

Point-of-sale breaches were once again among the week’s top trending cybercrime targets, as InterContinental Hotels Group (IHG) announced that its previously disclosed POS breach had expanded from the dozen properties reported in February to at least 1,175 properties. Affected hotels include popular brands such as Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels, Crowne Plaza, and more.

According to the company’s press release, the investigation discovered “malware designed to access payment card data from cards used onsite at front desks for certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016.” The release doesn’t directly state the number of properties affected, instead it directs viewers to a cumbersome breach lookup tool that divides the nearly 1,200-strong list of affected properties into countries, states, and even hundreds of individual cities.

The release also states that hotels that upgraded their technology were not affected by the breach: “Before this incident began, many IHG-branded franchise hotel locations had implemented IHG’s Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution. Properties that had implemented SPS before September 29, 2016 were not affected. Many more properties implemented SPS after September 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data and, therefore, cards used at these locations after SPS implementation were not affected.”

That’s a sliver of good news; however, nearly 1,200 hotels were impacted and that list may grow in the future as “a small percentage of IHG-branded franchise properties did not participate in the investigation.” The lookup tool will be updated as new properties are added. Unfortunately, for heavy travelers that means returning to the clumsy tool periodically and checking every city they stayed in over the affected period for new breach updates.

Other trending cybercrime events from the week include:

More breaches due to poor practices and faulty updates: The accidental posting of a file containing the embedded personal information of 5,600 individuals to Rhode Island’s Transparency Portal and General Assembly website is the third recent data breach tied to UHIP, a new system for state benefits. The cybersecurity company Tanium is apologizing for exposing information related to El Camino Hospital in California in hundreds of presentations for potential customers from early 2012 through mid-2015 as well as several now-deleted YouTube videos. As many as 2,000 individuals in the UK may have had their personal information visible to other customers on the RingGo parking app due to a faulty software update.
Former employees continue to cause damage: A former employee of engineering firm Allen & Hoshall admitted to accessing the company’s servers repeatedly over a two-year period as well as accessing the email account of a former colleague hundreds of times in order to download and view data from his former employer. A man was arrested for attempting to steal proprietary computer code for a trading platform developed by his employer, an unnamed financial services firm with an office in New York. The online retailer Black Swallow has agreed to pay $60,000 to Showpo to settle a dispute alleging that a former Showpo graphic designer downloaded the company’s entire customer database and gave it to her new employer.
Old data breaches come to light: Allrecipes is warning its users that their email addresses and passwords may have been compromised when logging into their accounts prior to June 2013, nearly four years ago. There is not a lot information on what happened, as the notification email said that the company “cannot determine with certainty who did this or how this occurred.” While announcing a series of automated attacks against its InCircle, Neiman Marcus, Bergdorf Goodman, Last Call, CUSP, and Horchow websites, Neiman Marcus also noted that a similar automated attack in December 2015 provided access to full payment card details — not just the last four digits as initially reported.
Physical theft of sensitive data at hotel: Police seized bags of documents containing the personal information of guests staying at the Seasons Hotel at Sydney’s Darling Harbour, and one woman has been charged in relation to the theft, according to police. The information was likely stolen around March 21 and included dozens of guest registration forms, which feature photocopies of passports, driver’s licences, and other forms of personal identification.
Other notable cybercrime events: Over 2.4 million email addresses and MD5-hashed passwords were stolen from Fashion Fantasy Game, an online game and social network for fashion lovers, in 2016, and the game’s website appears to contain several existing vulnerabilities that could leak data. Cleveland Metropolitan School District is warning some employees, students, guardians, and affiliates that their information may have been compromised when multiple employees fell for a phishing email that compromised their email account credentials. Security and privacy concerns have been raised after London’s Metropolitan Police apparently gave the addresses of 30,000 gun owners to a marketing agency to help promote the sale of a “firearms protection pack.”

Cyber Risk Trends From the Past Week

In addition to the wide-reaching POS breach that IHG announced this week, online retailers may also be at risk of potential payment card breaches due to an unpatched zero-day vulnerability in the Magento ecommerce platform.

Security researchers at DefenseCode said they discovered the high-risk vulnerability during a security audit of Magento Community edition. The researchers said the vulnerability “could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information.”

DefenseCode did not examine the Magento Enterprise version, but a researcher told Threatpost that both versions share the same underlying vulnerable code. The researcher also said that they have made repeated attempts to notify Magento of the issue since November 2016, but it has yet to be patched. In an email to customers, Magento said it plans on addressing the vulnerability soon:

This vulnerability will be addressed in our next release targeted for early May. Until then, we recommend enforcing the use of “Add Secret Key to URLs” to mitigate potential attacks. To turn on this feature:

1. Logon to Merchant Site Admin URL (e.g., your domain.com/admin)

2. Click on Stores > Configuration > ADVANCED > Admin > Security > Add Secret Key to URLs

3. Select YES from the dropdown options

4. Click on Save Config

Magento is used by approximately 200,000 online retailers, so the vulnerability is a cause for concern, particularly since it is now public and likely will not be patched for at least several weeks. In addition, an attack could be carried out by targeting any Magento admin panel user.

“Full administrative access is not required to exploit this vulnerability as any Magento administrative panel user regardless of assigned roles and permissions can access the remote image retrieval functionality [at the root of the vulnerability],” the advisory noted. “Therefore, gaining a low privileged access can enable the attacker to compromise the whole system or at very least, the database.”

Weekly Cyber Risk Roundup: Payment Card Breaches, Malicious Insiders, and Regulatory Action

Gamestop was the week’s top trending cybercrime target as the company is investigating reports that customer payment card information may have been stolen from gamestop.com. In addition to Gamestop, payment card information was also stolen from the restaurant chain Shoney’s and a series of car washes have issued breach notification letters tied to a compromise at an unnamed third-party point-of-sale (POS) provider.

Two sources told Brian Krebs last week that an alert from a credit card processor indicated gamestop.com was likely compromised by intruders between mid-September 2016 and the first week of February 2017. The sources said that card numbers, expiration dates, names, addresses, and verification codes were stolen due to the breach. Gamestop also operates thousands of retail locations, but there is no indication that those have been affected.

However, dozens of Shoney’s locations were impacted by a recent POS breach. A week after Krebs reported the Gamestop breach, confidential alerts from credit card associations stated that similar payment card data was stolen from the restaurant chain. Best American Hospitality Corp., which manages some of Shoney’s corporate affiliated restaurants, later issued a press release saying that remotely installed POS malware led to breaches at 37 Shoney’s locations between December 27, 2016, and March 6, 2017.

In addition, Acme Car Wash, Auto Pride Car Wash, Clearwater Express Car Wash, Waterworks Car Wash, and Wildwater Express Carwash were all notified of a point-of-sale (PoS) malware infection by their unnamed third-party POS provider. The notification occurred on March 27, and customers who used a payment card at those business during various periods in February may have had their data compromised.

Other trending cybercrime events from the week include:

New data breaches announced: A backup database containing information on 918,000 people and belonging to telemarketing company HealthNow Networks was exposed on the Internet, compromising a variety of individuals’ personal and health information. The payday loan company Wonga is investigating a data breach that may have affected up to 245,000 customers in the UK and 25,000 customers in Poland. As many as 115 families had their private information compromised when the Victorian Education Department mistakenly published documents to its website for 24 hours. At least 83 University of Louisville employees had their W-2 forms accessed when an intruder gained access to W-2 Express, a product of Equifax used by the school to provide employees with access to tax documents.

More SWIFT attacks made public: The Union Bank of India faced an attack leveraging the SWIFT system that attempted to perform $170 million in fraudulent transactions last July, but the bank was able to block the transfer of funds, the Wall Street Journal reported. The bank’s SWIFT access codes were stolen by malware after an employee opened a malicious email attachment, and the codes were used to send fraudulent instructions in an attack similar to the one that successfully stole $81 million from the Bangladesh central bank’s account at the New York Federal Reserve in February 2016.

Ransomware continues to impact patient care: A ransomware infection at Erie County Medical Center blocked access to electronic patient records and forced the center to reschedule some elective surgeries, sources told news outlets; however, the hospital has yet to confirm the shutdown of its computer was due to ransomware. IT workers have been re-imaging about 6,000 desktop computers that had to be wiped clean as a result of the infection. Ashland Women’s Health reported a data breach affecting 19,727 patients after ransomware encrypted data on the practice’s electronic health record system, including its patient scheduling application. The practice was able to restore the encrypted data using a backup, and patient care was impacted for a couple of days due to the incident.

Amazon seller accounts being hacked: Hackers are using previously compromised credentials to hijack the accounts of third-party sellers on Amazon Marketplace, change the bank account information, and then post nonexistent merchandise at cheap prices to defraud customers. The buyers are eligible for refunds from the sellers, which may come as a surprise to the account owners as the hackers are targeting dormant accounts. A company spokesperson told NBC News that it is working to make sure sellers do not have to handle the financial burden of the hacks.

Other notable cybercrime events: Five inmates at the Marion Correctional Institution used computers built from spare parts and hidden in a ceiling in a closet to perform a variety of malicious activities while incarcerated. A team of Indonesian hackers gained access to the online ticketing site Tiket.com and stole approximately Rp 4.1 billion ($308,000 USD) worth of airline tickets from carrier Citilink. Dallas officials are blaming a hacker for setting off all 156 of the city’s warning sirens more than a dozen times.

Cyber Risk Trends From the Past Week

A variety of stories from the past week once again highlighted threats that originate not from external hackers, but from organizations’ employees and poor risk management practices.

To start, Allegro Microsystems has accused a former employee of causing $100,000 worth of damages by logging into the company’s network multiple times after resigning in order to implant malware. According to court documents, the man allegedly returned a computer meant for personal use rather than his work computer when resigning, and he used that work computer along with system administrator credentials to insert malicious code into Allegro’s finance module. The employee “designed the malicious code to copy certain headers or pointers to data into a separate database table and then to purge those headers from the finance module, thereby rendering the data in the module worthless,” the documents stated.

Another case involved a DuPont employee who admitted to stealing data from DuPont in the months before he retired in order to bolster a consulting business he planned to run. The man allegedly copied 20,000 files to his personal computer, including formulas, data, and customer information related to developments in flexographic printing plate technology. He also took pictures of restricted areas of DuPont’s plant.

On the regulatory side, the FDA sent a letter to St. Jude Medical demanding the company take action to correct a series of violations related to risks posed by the company’s implantable medical devices — an issue that received quite a bit of attention last summer after a report published by Muddy Waters and MedSec shed light on the alleged vulnerabilities. St. Jude must respond to the FDA within 15 days with “specific steps [it has] taken to correct the noted violations, as well as an explanation of how [it] plans to prevent these violations, or similar violations, from occurring again” — or else St. Jude may face further regulatory action, including potential fines.

That is what happened to Metro Community Provider Network (MCPN), which agreed last week to pay $400,000 following a January 2012 phishing incident that exposed the electronic protected health information (ePHI) of 3,2000 individuals. An investigation conducted by the Office for Civil Rights revealed that “prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis.” As a result, MCPN will pay the penalty and implement a corrective action plan to better safeguard ePHI in the future.

Weekly Cyber Risk Roundup: New PoS Breaches and Simple Attacks

The week’s top trending event was the compromise at Freedom Hosting II, which has been estimated to host as much as 20 percent of active dark web sites. As a result, thousands of dark web sites were taken offline, and the stolen data has since been widely shared.

Security researcher Troy Hunt, who reviewed some of the data, said that 381,000 email addresses were exposed along with a 2.2GB MySQL file that contained database backups of customers with “a very broad range of data from different systems.” Hunt added that “a significant amount” of that data is illegal. The hacker taking credit for the incident told Motherboard that the discovery of 10 sites hosting child pornography was the impetus for escalating the attack from read-only access to gaining system privileges, which was done using a 21-step process.

The other big news of late is the announcement of several new point-of-sale data breaches. InterContinental Hotels Group announced a point-of-sale breach affecting customers who used payment cards at the restaurants and bars of 12 properties, and fast-food chain Arby’s confirmed that malware was discovered on the payment systems of corporate locations. The incidents mirror the beginning of 2016, which saw similar breach announcement from Hyatt hotels and fast-food chain Wendy’s. The IGH breach is smaller than last year’s Hyatt announcement, which likely affected guests at 250 hotels, but the Arby’s breach may be comparable to the Wendy’s breach, which affected 1,025 locations.

More than 1,000 of the 3,300 total Arby’s restaurants are corporate owned; however, not every corporate location was affected, an Arby’s spokesperson said. Arby’s has yet to release official numbers or dates of the incident, but PSCU, a service organization that serves more than 800 credit unions, issued a non-public alert saying that more than 355,000 payment cards issued by PCSU member banks were compromised due to an incident at “a large fast food restaurant chain, yet to be announced to the public.” PCSU also estimated that the fast-food chain breach occurred between Oct. 25, 2016, and January 19, 2017.

Other trending cybercrime events from the week include:

Polish financial regulator used to spread malware: A malicious actor compromised the internal systems of the Polish Financial Supervision Authority and used the financial regulator to spread malware to Polish banks. According to The Register, a modified JavaScript file likely resulted in visitors to the regulator’s site loading an external file that led to malicious payloads. A spokesperson said the regulator decided to take its entire system offline “in order to secure evidence.” Polish media have described the incident as the most serious attack ever on the Polish banking industry.

Extortion attacks continue: Taiwan brokerages are receiving DDoS extortion emails claiming to be from the group known as the “Armada Collective,” and several brokerages have reported DDoS attacks following those ransom demands. A malicious actor gained accessed to millions of messages and documents from the computer system of Doyen Global and leaked numerous emails from soccer star David Beckham after a failed blackmail attempt of “between €500,000 and a million.”

More government attacks: An attack against the Italian foreign ministry last spring compromised email communications for many months, but it did not affect the encrypted system used for classified communications. The Russian-linked APT 29 hacking group has been targeting Norwegian organizations with spear phishing emails. The attorney for Little Egg Harbor believes someone within the township is stealing data from the municipal computer systems and handing that confidential information over to a local political blogger. Hackers may have used stolen passwords to gain access to a Bureau of Consular Affairs email account that serves as a contact window to 117 Taiwanese overseas offices around the world. The former NSA contractor who faced charges in 2016 relating to the theft of 50 terabytes of highly sensitive data, allegedly stole more than 75 percent of the hacking tools belonging to the NSA’s elite hacking group known as the Tailored Access Operations.

Stolen and leaked databases: A database from the law enforcement forum PoliceOne was stolen in 2015 and the information of 700,000 members has been publicly distributed. A group of hackers claim to have a database of 20 million records stolen in 2014 from Bin Weevils, a British online children’s game owned by 55 Pixels. An actor using the name “zerodark70” is selling a database of 83,000 accounts from UPI.com, the website of the news agency United Press International. A large portion of the anti-piracy company Denuvo’s web database content is unsecured, and as a result information submitted via the company’s public contact form dating back to April 2014 has been posted online.

Other cybercrime announcements: A vulnerability in an October 2016 software update for the Michigan Data Automated System has exposed as many as 1.87 million Michigan workers’ information to a third-party vendor. UK sports retailer Sports Direct experienced a breach due to an attacker exploiting vulnerabilities in the unpatched version of the DNN platform the company was using to run a staff portal. Computer supplier Logic Supply announced there was unauthorized access to the company’s website on February 6, 2017. UK magazine publisher Future announced that its FileSilo website was breached. Singn and Arora Oncology Hematology in Michigan announced a data breach affecting 22,000 individuals.

Cyber Risk Trends From the Past Week

The past week saw the continuation of several stories highlighted in recent risk reports.

For starters, malicious actors are exploiting the recently announced severe content injection vulnerability found in the WordPress REST API, which was fixed in the WordPress 4.7.2 update. At least twenty-four different campaigns are actively defacing WordPress sites. WordFence, which said that this is “one of the worst WordPress related vulnerabilities to emerge in some time,” reported that nearly 1.9 million defaced web pages have been indexed by Google as of February 10.

WordPress has an automatic update feature to protect against newly announced exploits being used by malicious actors, but a large number of websites appear to have disabled that feature and have not updated to version 4.7.2, which has been available since January 26.

As SurfWatch Labs continues to stress in blogs and articles, cyber threat intelligence clearly shows that the security threats are not as complex as some media and vendors make them out to be. Another example of simple but effective attacks is the growing number of organizations publicly tied to W-2 related breaches. Two weeks ago we wrote that the 2017 W-2 breach count had rose to 24 organizations. By last Friday that number had risen to 40. By Monday morning, it rose again to 48 – including school districts, colleges, healthcare organizations, manufacturers, payroll providers, restaurants, retailers and more.

IRS Commissioner John Koskinen warned that “this is one of the most dangerous email phishing scams we’ve seen in a long time.” These impersonation emails, also known as business email compromise scams, have proven to be effective, and they are costly for the organizations that fall victim to them. But they are not complex. They rely on three simple and straightforward aspects all good impersonators utilize:

A simple backstory – The malicious actors utilize the built-in story of tax season.
Appearing as though they belong – The emails matter-of-factly request information that is relevant to the payroll and human resource departments being targeted.
Projecting authority – The requests appear to come from a higher-up such as a school superintendent or executive.

Many attacks that lead to data breaches are not sophisticated efforts carried out by actors using zero-day exploits; rather, they are opportunistic attacks leveraging public vulnerabilities and simple social engineering tactics. When it comes to managing cyber risk, ensure your organization can defend against these basic attacks before addressing more advanced – and often far less relevant – cyber threats.

Weekly Cyber Risk Roundup: More POS Breaches and the Rise of Destructive Attacks

Massive distributed denial-of-service attacks and data breaches remained front and center in SurfWatch Labs’ cybercrime data this week as old attacks against Brian Krebs, OVH, Yahoo and others continued to be heavily discussed. But looking beyond those headline-grabbing stories, the data also reflects a surge in reports of stolen payment card information.

On Tuesday, University of Central Florida police announced they were able to tie a recent surge in fraud reports to malware on the systems of AD Food Services, which operates Asian Chao, Huey Magoo’s and the Corner Café in the Student Union.

On Wednesday, luggage and handbag company Vera Bradley announced a breach affecting retail stores. Law enforcement notified the company of a potential issue on September 15, and it was discovered that payment cards used at store locations between July 25, 2016, and September 23, 2016, may have been affected.

On Thursday, it was reported that Dutch developer Willem de Groot discovered skimming scripts on more than 6,000 online stores running vulnerable versions of the Magneto ecommerce platform. The active operation is adding 85 stores each day, and de Groot estimates that the number of stolen cards is in the hundreds of thousands.

In addition, American 1 Credit Union in Michigan announced last week that it is temporarily blocking payments to all Wendy’s franchise locations due to ongoing fraud issues. Community members are reporting fraudulent activity on newly issued payment cards used at Wendy’s, suggesting that the malware issue may be ongoing for the fast-food chain. Like other credit unions, American 1 Credit Union reported its total losses related to the Wendy’s data breach are growing beyond the losses incurred from the 2014 Home Depot breach.

Other trending cybercrime events from the week include:

TheDarkOverlord extortion demands continue: Peachtree Orthopedic Clinic in Atlanta is notifying patients of a data breach after discovering unauthorized access into its computer system. After the clinic’s announcement, the actor known as TheDarkOverlord leaked documents allegedly stolen from the clinic and announced they had another 543,879 records containing personal and health information. Athens Orthopedic Clinic, another victim of TheDarkOverlord, confirmed that TheDarkOverlord demanded nearly $400,000 in ransom for the stolen patient data and threatened to call patients and publicly name the company if the clinic didn’t comply with the extortion demands.

Another massive breach reported: A hacker going by the name “0x2Taylor” has released 58 million records claiming to be stolen from Modern Business Systems (MBS), which offers in-house data management and monetization solutions to companies. MBS has not publicly confirmed the data breach, but researchers have confirmed that MBS was running an unsecured MongoDB database as the hacker suggested. The hacker also shared a screenshot indicating he or she has another database containing 258 million rows of data.

Beware of social engineering: An employee that clicked on a link that appeared to be for a Dropbox file led to a hacker targeting a customer of garden furniture company Gaze Burvill and requesting payment of £7,148 to a fraudulent bank account. Australian not-for-profit health fund CBHS said an unnamed third party has been breached and is warning customers to be on the lookout for phishing emails. The Clinton Foundation is warning that donors are being targeted with phishing messages. Indian police are investigating about 700 people over a scam where workers posed as IRS officials and duped U.S. citizens out of tens of millions of dollars. A Connecticut man has been charged with stealing login credentials from users of Dark Web marketplaces using a combination phishing pages and port forwarding and then using those credentials to steal bitcoins.

Effective backups thwart ransomware: Hutchinson Community Foundation was infected with ransomware on September 19, but it was able to fully recover the data from backups without paying a ransom. Nevertheless, the foundation is notifying donors, vendors and other stakeholders that information may have been compromised during the attack.

Hackers continue to target U.S. political figures: The Twitter account of Hillary Clinton’s campaign chief, John Podesta, was hijacked and used to urge followers to vote for Donald Trump. In addition, screenshots circulating online suggest that Podesta’s iCloud account may have been compromised. Users on 4chan claimed that Podesta’s iCloud password, which was published by WikiLeaks, was still working; however, WikiLeaks said that it made sure the credentials were changed.

Cyber Risk Trends From the Past Week

SurfWatch Labs industry risk scores remained fairly stable. Other Organizations (+0.8%) – which includes groups such as education, advocacy and political parties – was the only sector to see a noticeable increase in risk score compared to the previous week.

Nation-state hacking remains one of the most talked about cyber risks, and that discussion grew more intense as the U.S. presidential elections moved into the final month. On Friday, the U.S. formally accused the Russian government of orchestrating the recent attacks against the Democratic National Committee and others in an effort “to interfere with the U.S. election process.” A statement from director of national intelligence James Clapper and the Department of Homeland Security said that they believe only Russia’s senior-most officials could have authorized the hacking efforts. That public accusation was followed by promises of a “proportional” response against Russia; however, White House Press Secretary Josh Earnest added that ““it is unlikely that our response would be announced in advance.”

The U.S. isn’t the only country facing nation-state espionage. A Wednesday report from the Australian Cyber Security Centre said the 2015 hacking of the Australian Bureau of Meteorology’s network was carried out by foreign adversaries. That attack compromised government systems and led to the theft of sensitive documents, and after the attack officials estimated it would cost millions of dollars to plug the related security holes. The report also said that the attacks demonstrate a willingness of actors to use disruptive and destructive measures when targeting organizations.

That destructive nature is demonstrated by the April 2015 attack on France’s TV5Monde. A recent investigation linked the incident to the Russian hacking group APT 28 and revealed that the attack, which knocked 12 channels off the air, was designed to destroy the TV network. The attack turned out to be more sophisticated than initially reported, with the network first being infiltrated in January 2015 in order to conduct reconnaissance on the way TV5Monde broadcast TV signals. Seven points of entry were used, including a Netherlands-based company that supplied the remote-controlled cameras used in the network’s studios. According to the BBC, the attackers then fabricated malware designed to corrupt and destroy the Internet-connected hardware that controlled the TV station’s operations.

“It’s the worst thing that can happen to you in television,” Yves Bigot, the director-general of TV5Monde told the BBC. “We were a couple of hours from having the whole station gone for good.”

These attacks, ranging from influencing elections to destroying TV networks, are believed to be carried out by nation-states or other advanced actors who are increasingly using those disruptive and destructive tactics to achieve their goals – and with the U.S. promising retaliatory attacks, we can expect to see more such attacks in the near future.

POS Breaches: Bankrupting Small Businesses and Impacting the Supply Chain

There’s a popular cybercrime statistic that has been vexing me for years, and if you read cybersecurity news regularly, I’m sure you’ve seen it cited a few dozen times as well:

60% of small businesses close their doors within six months of a cyber-attack.

I’ve always been skeptical of that bold statistic. As Mark Twain wrote in his autobiography, attributing the now famous quote to British Prime Minister Benjamin Disraeli, “There are three kinds of lies: lies, damned lies and statistics.” Sixty percent is incredibly high (and what percent of these companies would have failed anyway, cyber-attack or not?); nevertheless, I’ve always wanted to find the source of that data and delve into the stories behind that number.

I’ve largely failed on both of those fronts over the past few years.

First, the statistic is most often attributed in some vague way to either the National Cyber Security Alliance or the U.S. House Small Business Subcommittee on Health and Technology. In fact, National Cyber Security Alliance executive director Michael Kaiser did quote that statistic before the House Small Business Subcommittee on Health and Technology in December 2011, but he was actually citing a Business Insider article from three months prior. The Business Insider article is similarly vague, saying only that “about 60 percent of small businesses will close shop within six months of an attack” — but providing no other context to back up that assertion.

Second, my repeated attempts to find small businesses that have failed due to cyber-attacks — and are willing talk publicly about those failures — have come up mostly empty.

When Breaches Lead to Bankruptcy

All of this serves as a backdrop to the recent conviction of Roman Valerevich Seleznev, aka Track2, 32, of Vladivostok, Russia. Seleznev was convicted on August 25 of 38 counts related to hacking point-of-sale systems and stealing payment card information. According to trial testimony, Seleznev’s scheme led to more than $169 million in losses across 3,700 financial institutions.

Perhaps most interesting — at least when it comes to my ongoing quest to chronicle small businesses being put out of business by cybercrime — was this tidbit from the Department of Justice press release:

Many of the businesses [targeted by Seleznev] were small businesses, some of which were restaurants in Western Washington, including the Broadway Grill in Seattle, which was forced into bankruptcy following the cyber assault.

According to the indictment, Seleznev and others used automated techniques such as port scanning to identify vulnerable retail point-of-sale systems that were connected to the Internet and then infect those systems with malware.

“[Seleznev and others] hacked into, installed malware on, and stole credit card track data from, hundreds of retail businesses in the Western District of Washington and elsewhere,” the indictment stated. “[They] stole, in total, over two million credit card numbers, many of which they then sold through their dump shop websites … generating millions of dollars of illicit profits.”

Seattle’s iconic The Grill on Broadway was one of those small businesses to be hit by point-of-sale malware in 2010. The incident, along with other issues inherited from previous owners, led to the restaurant being closed in 2013.

“It became a target of a credit card number harvesting scheme that claimed a number of businesses on Broadway as victims,” the Seattle Gay Scene wrote at the time of the closing. “Several years of missed software updates played a significant role in the incident and [owner Matthew] Walsh and his team discovered this fact only a few months after purchasing the business. The effects were devastating to The Grill, generating massive amounts of negative publicity and drastically reduced revenue at the restaurant.”

The resources required to stay afloat were simply too much.

“In spite of what it may seem, we’re a very small business,” Walsh said. “We don’t have endless financial resources to keep us afloat like a chain restaurant or large corporation could.”

Recent Supply Chain Issues Affect POS Systems

The conviction of Seleznev over stolen payment card information and the re-emergence of The Grill on Broadway’s story comes during the same month that several point-of-sale vendors, including Oracle MICROS, have announced potential compromises — and a series of retailers and hotels have subsequently published data breach notifications.

Those breaches haven’t been explicitly connected, but several of the hotels to recently announce breaches have previously confirmed using MICROS products.

For example, Millennium Hotels & Resorts (MHR), which recently announced a data breach affecting food and beverage point-of-sale systems at 14 hotels, said it was notified by a third-party service provider about “malicious code in certain of its legacy point of sale systems, including those used by MHR.”

“The third party is a significant supplier of PoS systems to the hotel industry,” a spokesperson responded when SurfWatch Labs inquired about problems stemming from the supply chain. “It is aware of these issues. We are not disclosing the name.”

However, in 2008 MICROS Systems, now owned by Oracle, announced that Millennium Hotels & Resorts would be using MICROS “as the standard food and beverage point-of-sale solution for its 14 Millennium Hotel properties located in the United States” — so it’s possible there’s some connection between the breaches.

The same Russian group that hit MICROS has targeted at least five other cash-register providers, according to Forbes’ Thomas Fox-Brewster. Investigations are ongoing, but as we noted in our recent report, cybercrime is increasingly interconnected and compromises can quickly move down the supply chain, affecting everyone from small businesses to large enterprises.

If that 60% statistic is true, even partially, then it begs the question: will these recent breaches in the point-of-sale supply chain lead to more shuttered doors in the future?

And will we hear those businesses’ stories if it does happen? Or will they just become another vague statistic that we all continue to reference?