Weekly Cyber Risk Roundup: New PoS Breaches and Simple Attacks

The week’s top trending event was the compromise at Freedom Hosting II, which has been estimated to host as much as 20 percent of active dark web sites. As a result, thousands of dark web sites were taken offline, and the stolen data has since been widely shared.

2017-02-12_ITT.pngSecurity researcher Troy Hunt, who reviewed some of the data, said that 381,000 email addresses were exposed along with a 2.2GB MySQL file that contained database backups of customers with “a very broad range of data from different systems.” Hunt added that “a significant amount” of that data is illegal. The hacker taking credit for the incident told Motherboard that the discovery of 10 sites hosting child pornography was the impetus for escalating the attack from read-only access to gaining system privileges, which was done using a 21-step process.

The other big news of late is the announcement of several new point-of-sale data breaches. InterContinental Hotels Group announced a point-of-sale breach affecting customers who used payment cards at the restaurants and bars of 12 properties, and fast-food chain Arby’s confirmed that malware was discovered on the payment systems of corporate locations. The incidents mirror the beginning of 2016, which saw similar breach announcement from Hyatt hotels and fast-food chain Wendy’s. The IGH breach is smaller than last year’s Hyatt announcement, which likely affected guests at 250 hotels, but the Arby’s breach may be comparable to the Wendy’s breach, which affected 1,025 locations.

More than 1,000 of the 3,300 total Arby’s restaurants are corporate owned; however, not every corporate location was affected, an Arby’s spokesperson said. Arby’s has yet to release official numbers or dates of the incident, but PSCU, a service organization that serves more than 800 credit unions, issued a non-public alert saying that more than 355,000 payment cards issued by PCSU member banks were compromised due to an incident at “a large fast food restaurant chain, yet to be announced to the public.” PCSU also estimated that the fast-food chain breach occurred between Oct. 25, 2016, and January 19, 2017.

2017-02-12_ittgroups

Other trending cybercrime events from the week include:

  • Polish financial regulator used to spread malware: A malicious actor compromised the internal systems of the Polish Financial Supervision Authority and used the financial regulator to spread malware to Polish banks. According to The Register, a modified JavaScript file likely resulted in visitors to the regulator’s site loading an external file that led to malicious payloads. A spokesperson said the regulator decided to take its entire system offline “in order to secure evidence.” Polish media have described the incident as the most serious attack ever on the Polish banking industry.
  • Extortion attacks continue: Taiwan brokerages are receiving DDoS extortion emails claiming to be from the group known as the “Armada Collective,” and several brokerages have reported DDoS attacks following those ransom demands. A malicious actor gained accessed to millions of messages and documents from the computer system of Doyen Global and leaked numerous emails from soccer star David Beckham after a failed blackmail attempt of “between €500,000 and a million.”
  • More government attacks: An attack against the Italian foreign ministry last spring compromised email communications for many months, but it did not affect the encrypted system used for classified communications. The Russian-linked APT 29 hacking group has been targeting Norwegian organizations with spear phishing emails. The attorney for Little Egg Harbor believes someone within the township is stealing data from the municipal computer systems and handing that confidential information over to a local political blogger. Hackers may have used stolen passwords to gain access to a Bureau of Consular Affairs email account that serves as a contact window to 117 Taiwanese overseas offices around the world. The former NSA contractor who faced charges in 2016 relating to the theft of 50 terabytes of highly sensitive data, allegedly stole more than 75 percent of the hacking tools belonging to the NSA’s elite hacking group known as the Tailored Access Operations.
  • Stolen and leaked databases: A database from the law enforcement forum PoliceOne was stolen in 2015 and the information of 700,000 members has been publicly distributed. A group of hackers claim to have a database of 20 million records stolen in 2014 from Bin Weevils, a British online children’s game owned by 55 Pixels. An actor using the name “zerodark70” is selling a database of 83,000 accounts from UPI.com, the website of the news agency United Press International. A large portion of the anti-piracy company Denuvo’s web database content is unsecured, and as a result information submitted via the company’s public contact form dating back to April 2014 has been posted online.
  • Other cybercrime announcements: A vulnerability in an October 2016 software update for the Michigan Data Automated System has exposed as many as 1.87 million Michigan workers’ information to a third-party vendor. UK sports retailer Sports Direct experienced a breach due to an attacker exploiting vulnerabilities in the unpatched version of the DNN platform the company was using to run a staff portal. Computer supplier Logic Supply announced there was unauthorized access to the company’s website on February 6, 2017. UK magazine publisher Future announced that its FileSilo website was breached. Singn and Arora Oncology Hematology in Michigan announced a data breach affecting 22,000 individuals.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-02-12_ittnew

Cyber Risk Trends From the Past Week

2017-02-12_riskscoresThe past week saw the continuation of several stories highlighted in recent risk reports.

For starters, malicious actors are exploiting the recently announced severe content injection vulnerability found in the WordPress REST API, which was fixed in the WordPress 4.7.2 update. At least twenty-four different campaigns are actively defacing WordPress sites. WordFence, which said that this is “one of the worst WordPress related vulnerabilities to emerge in some time,” reported that nearly 1.9 million defaced web pages have been indexed by Google as of February 10.

WordPress has an automatic update feature to protect against newly announced exploits being used by malicious actors, but a large number of websites appear to have disabled that feature and have not updated to version 4.7.2, which has been available since January 26.

As SurfWatch Labs continues to stress in blogs and articles, cyber threat intelligence clearly shows that the security threats are not as complex as some media and vendors make them out to be. Another example of simple but effective attacks is the growing number of organizations publicly tied to W-2 related breaches. Two weeks ago we wrote that the 2017 W-2 breach count had rose to 24 organizations. By last Friday that number had risen to 40. By Monday morning, it rose again to 48 – including school districts, colleges, healthcare organizations, manufacturers, payroll providers, restaurants, retailers and more.

IRS Commissioner John Koskinen warned that “this is one of the most dangerous email phishing scams we’ve seen in a long time.” These impersonation emails, also known as business email compromise scams, have proven to be effective, and they are costly for the organizations that fall victim to them. But they are not complex. They rely on three simple and straightforward aspects all good impersonators utilize:

  1. A simple backstory – The malicious actors utilize the built-in story of tax season.
  2. Appearing as though they belong – The emails matter-of-factly request information that is relevant to the payroll and human resource departments being targeted.
  3. Projecting authority – The requests appear to come from a higher-up such as a school superintendent or executive.

Many attacks that lead to data breaches are not sophisticated efforts carried out by actors using zero-day exploits; rather, they are opportunistic attacks leveraging public vulnerabilities and simple social engineering tactics. When it comes to managing cyber risk, ensure your organization can defend against these basic attacks before addressing more advanced – and often far less relevant – cyber threats.

Weekly Cyber Risk Roundup: More POS Breaches and the Rise of Destructive Attacks

Massive distributed denial-of-service attacks and data breaches remained front and center in SurfWatch Labs’ cybercrime data this week as old attacks against Brian Krebs, OVH, Yahoo and others continued to be heavily discussed. But looking beyond those headline-grabbing stories, the data also reflects a surge in reports of stolen payment card information.

2016-10-14_ITT.pngOn Tuesday, University of Central Florida police announced they were able to tie a recent surge in fraud reports to malware on the systems of AD Food Services, which operates Asian Chao, Huey Magoo’s and the Corner Café in the Student Union.

On Wednesday, luggage and handbag company Vera Bradley announced a breach affecting retail stores. Law enforcement notified the company of a potential issue on September 15, and it was discovered that payment cards used at store locations between July 25, 2016, and September 23, 2016, may have been affected.

On Thursday, it was reported that Dutch developer Willem de Groot discovered skimming scripts on more than 6,000 online stores running vulnerable versions of the Magneto ecommerce platform. The active operation is adding 85 stores each day, and de Groot estimates that the number of stolen cards is in the hundreds of thousands.

In addition, American 1 Credit Union in Michigan announced last week that it is temporarily blocking payments to all Wendy’s franchise locations due to ongoing fraud issues. Community members are reporting fraudulent activity on newly issued payment cards used at Wendy’s, suggesting that the malware issue may be ongoing for the fast-food chain. Like other credit unions, American 1 Credit Union reported its total losses related to the Wendy’s data breach are growing beyond the losses incurred from the 2014 Home Depot breach.

2016-10-14_groups

Other trending cybercrime events from the week include:

  • TheDarkOverlord extortion demands continue: Peachtree Orthopedic Clinic in Atlanta is notifying patients of a data breach after discovering unauthorized access into its computer system. After the clinic’s announcement, the actor known as TheDarkOverlord leaked documents allegedly stolen from the clinic and announced they had another 543,879 records containing personal and health information. Athens Orthopedic Clinic, another victim of TheDarkOverlord, confirmed that TheDarkOverlord demanded nearly $400,000 in ransom for the stolen patient data and threatened to call patients and publicly name the company if the clinic didn’t comply with the extortion demands.
  • Another massive breach reported: A hacker going by the name “0x2Taylor” has released 58 million records claiming to be stolen from Modern Business Systems (MBS), which offers in-house data management and monetization solutions to companies. MBS has not publicly confirmed the data breach, but researchers have confirmed that MBS was running an unsecured MongoDB database as the hacker suggested. The hacker also shared a screenshot indicating he or she has another database containing 258 million rows of data.
  • Beware of social engineering: An employee that clicked on a link that appeared to be for a Dropbox file led to a hacker targeting a customer of garden furniture company Gaze Burvill and requesting payment of £7,148 to a fraudulent bank account. Australian not-for-profit health fund CBHS said an unnamed third party has been breached and is warning customers to be on the lookout for phishing emails. The Clinton Foundation is warning that donors are being targeted with phishing messages. Indian police are investigating about 700 people over a scam where workers posed as IRS officials and duped U.S. citizens out of tens of millions of dollars. A Connecticut man has been charged with stealing login credentials from users of Dark Web marketplaces using a combination phishing pages and port forwarding and then using those credentials to steal bitcoins.
  • Effective backups thwart ransomware: Hutchinson Community Foundation was infected with ransomware on September 19, but it was able to fully recover the data from backups without paying a ransom. Nevertheless, the foundation is notifying donors, vendors and other stakeholders that information may have been compromised during the attack.
  • Hackers continue to target U.S. political figures: The Twitter account of Hillary Clinton’s campaign chief, John Podesta, was hijacked and used to urge followers to vote for Donald Trump. In addition, screenshots circulating online suggest that Podesta’s iCloud account may have been compromised. Users on 4chan claimed that Podesta’s iCloud password, which was published by WikiLeaks, was still working; however, WikiLeaks said that it made sure the credentials were changed.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below. 

2016-10-14_ittnew

Cyber Risk Trends From the Past Week

SurfWatch Labs industry risk scores remained fairly stable. Other Organizations (+0.8%) – which includes groups such as education, advocacy and political parties – was the only sector to see a noticeable increase in risk score compared to the previous week.

2016-10-14_risk

Nation-state hacking remains one of the most talked about cyber risks, and that discussion grew more intense as the U.S. presidential elections moved into the final month. On Friday, the U.S. formally accused the Russian government of orchestrating the recent attacks against the Democratic National Committee and others in an effort “to interfere with the U.S. election process.” A statement from director of national intelligence James Clapper and the Department of Homeland Security said that they believe only Russia’s senior-most officials could have authorized the hacking efforts. That public accusation was followed by promises of a “proportional” response against Russia; however, White House Press Secretary Josh Earnest added that ““it is unlikely that our response would be announced in advance.”

The U.S. isn’t the only country facing nation-state espionage. A Wednesday report from the Australian Cyber Security Centre said the 2015 hacking of the Australian Bureau of Meteorology’s network was carried out by foreign adversaries. That attack compromised government systems and led to the theft of sensitive documents, and after the attack officials estimated it would cost millions of dollars to plug the related security holes. The report also said that the attacks demonstrate a willingness of actors to use disruptive and destructive measures when targeting organizations.

That destructive nature is demonstrated by the April 2015 attack on France’s TV5Monde. A recent investigation linked the incident to the Russian hacking group APT 28 and revealed that the attack, which knocked 12 channels off the air, was designed to destroy the TV network. The attack turned out to be more sophisticated than initially reported, with the network first being infiltrated in January 2015 in order to conduct reconnaissance on the way TV5Monde broadcast TV signals. Seven points of entry were used, including a Netherlands-based company that supplied the remote-controlled cameras used in the network’s studios. According to the BBC, the attackers then fabricated malware designed to corrupt and destroy the Internet-connected hardware that controlled the TV station’s operations.

“It’s the worst thing that can happen to you in television,” Yves Bigot, the director-general of TV5Monde told the BBC. “We were a couple of hours from having the whole station gone for good.”

These attacks, ranging from influencing elections to destroying TV networks, are believed to be carried out by nation-states or other advanced actors who are increasingly using those disruptive and destructive tactics to achieve their goals – and with the U.S. promising retaliatory attacks, we can expect to see more such attacks in the near future.

POS Breaches: Bankrupting Small Businesses and Impacting the Supply Chain

There’s a popular cybercrime statistic that has been vexing me for years, and if you read cybersecurity news regularly, I’m sure you’ve seen it cited a few dozen times as well:

60% of small businesses close their doors within six months of a cyber-attack.

I’ve always been skeptical of that bold statistic. As Mark Twain wrote in his autobiography, attributing the now famous quote to British Prime Minister Benjamin Disraeli, “There are three kinds of lies: lies, damned lies and statistics.” Sixty percent is incredibly high (and what percent of these companies would have failed anyway, cyber-attack or not?); nevertheless, I’ve always wanted to find the source of that data and delve into the stories behind that number.

I’ve largely failed on both of those fronts over the past few years.

First, the statistic is most often attributed in some vague way to either the National Cyber Security Alliance or the U.S. House Small Business Subcommittee on Health and Technology. In fact, National Cyber Security Alliance executive director Michael Kaiser did quote that statistic before the House Small Business Subcommittee on Health and Technology in December 2011, but he was actually citing a Business Insider article from three months prior. The Business Insider article is similarly vague, saying only that “about 60 percent of small businesses will close shop within six months of an attack” — but providing no other context to back up that assertion.

Second, my repeated attempts to find small businesses that have failed due to cyber-attacks — and are willing talk publicly about those failures — have come up mostly empty.

When Breaches Lead to Bankruptcy

All of this serves as a backdrop to the recent conviction of Roman Valerevich Seleznev, aka Track2, 32, of Vladivostok, Russia. Seleznev was convicted on August 25 of 38 counts related to hacking point-of-sale systems and stealing payment card information. According to trial testimony, Seleznev’s scheme led to more than $169 million in losses across 3,700 financial institutions.

Perhaps most interesting — at least when it comes to my ongoing quest to chronicle small businesses being put out of business by cybercrime — was this tidbit from the Department of Justice press release:

Many of the businesses [targeted by Seleznev] were small businesses, some of which were restaurants in Western Washington, including the Broadway Grill in Seattle, which was forced into bankruptcy following the cyber assault.

According to the indictment, Seleznev and others used automated techniques such as port scanning to identify vulnerable retail point-of-sale systems that were connected to the Internet and then infect those systems with malware.

“[Seleznev and others] hacked into, installed malware on, and stole credit card track data from, hundreds of retail businesses in the Western District of Washington and elsewhere,” the indictment stated. “[They] stole, in total, over two million credit card numbers, many of which they then sold through their dump shop websites … generating millions of dollars of illicit profits.”

Seattle’s iconic The Grill on Broadway was one of those small businesses to be hit by point-of-sale malware in 2010. The incident, along with other issues inherited from previous owners, led to the restaurant being closed in 2013.

“It became a target of a credit card number harvesting scheme that claimed a number of businesses on Broadway as victims,” the Seattle Gay Scene wrote at the time of the closing. “Several years of missed software updates played a significant role in the incident and [owner Matthew] Walsh and his team discovered this fact only a few months after purchasing the business. The effects were devastating to The Grill, generating massive amounts of negative publicity and drastically reduced revenue at the restaurant.”

The resources required to stay afloat were simply too much.

“In spite of what it may seem, we’re a very small business,” Walsh said. “We don’t have endless financial resources to keep us afloat like a chain restaurant or large corporation could.”

Recent Supply Chain Issues Affect POS Systems

The conviction of Seleznev over stolen payment card information and the re-emergence of The Grill on Broadway’s story comes during the same month that several point-of-sale vendors, including Oracle MICROS, have announced potential compromises — and a series of retailers and hotels have subsequently published data breach notifications.

Those breaches haven’t been explicitly connected, but several of the hotels to recently announce breaches have previously confirmed using MICROS products.

For example, Millennium Hotels & Resorts (MHR), which recently announced a data breach affecting food and beverage point-of-sale systems at 14 hotels, said it was notified by a third-party service provider about “malicious code in certain of its legacy point of sale systems, including those used by MHR.”

“The third party is a significant supplier of PoS systems to the hotel industry,” a spokesperson responded when SurfWatch Labs inquired about problems stemming from the supply chain. “It is aware of these issues. We are not disclosing the name.”

However, in 2008 MICROS Systems, now owned by Oracle, announced that Millennium Hotels & Resorts would be using MICROS “as the standard food and beverage point-of-sale solution for its 14 Millennium Hotel properties located in the United States” — so it’s possible there’s some connection between the breaches.

The same Russian group that hit MICROS has targeted at least five other cash-register providers, according to Forbes’ Thomas Fox-Brewster. Investigations are ongoing, but as we noted in our recent report, cybercrime is increasingly interconnected and compromises can quickly move down the supply chain, affecting everyone from small businesses to large enterprises.

If that 60% statistic is true, even partially, then it begs the question: will these recent breaches in the point-of-sale supply chain lead to more shuttered doors in the future?

And will we hear those businesses’ stories if it does happen? Or will they just become another vague statistic that we all continue to reference?

After Slow Start in 2016, Point-of-Sale Breaches Surging

Last week Eddie Bauer became the latest in a growing string of companies to announce a major point-of-sale-related breach. All 350 North American stores were affected by malware that may have siphoned off customers’ payment card information between January and July of this year.

Not all cardholder transactions were impacted, the company said, and the breach does not include any online transactions; however, the announcement comes during the same month that Oracle MICROS, HEI Hotels & Resorts and several other companies posted similar breach announcements.

The recent surge follows a comparatively quiet period over the first half of 2016, as this chart from our Mid-Year 2016 Cyber Risk Report highlights.

POS
Compared to the large number of POS breaches and chatter in 2014, the past year and a half has been relatively quiet — other than a spike in late 2015 tied to several different hotel breaches, the report said.

“This dip in discussion is accentuated by the extreme number of high-profile organizations affected by POS breaches in 2014, perhaps skewing the perception for what ‘normal’ levels of activity should be,” the report noted. “Point-of-sale breaches are not making as many headlines, but breaches so far this year have proven that for many organizations the associated costs are as high or higher than they have ever been.”

Revisiting that chart a month and a half later, it appears the activity level is now kicking up to match those high costs. SurfWatch Labs has collected more point-of-sale-related CyberFacts in August (through just 21 days) than any other month so far this year.

2016-08-22_POS_Chatter.png
The number of point-of sale CyberFacts collected by SurfWatch Labs has surged in recent months (data through August 21). HEI Hotels & Resorts is the highest trending POS-related target this month after announcing a data breach.

Oracle, Other Vendors Compromised

Adding to the concern around point-of-sale systems, Brain Krebs recently broke the news of a breach of hundreds of computer systems at Oracle, including a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.

Sources said the MICROS customer support portal has been observed communicating with a server known to be used by the Carbanak Gang. That’s alarming since the gang is suspected be behind the theft of more than $1 billion from financial institutions in recent years.

“This breach could be little more than a nasty malware outbreak at Oracle,” Krebs wrote. “However, the Carbanak Gang’s apparent involvement makes it unlikely the attackers somehow failed to grasp the enormity of access and power that control over the MICROS support portal would grant them.”

The investigation is ongoing, and Oracle so far has not provided customers or media outlets with many answers.

To make matters worse, Forbes’ Thomas Fox-Brewster reported that several other cash register suppliers besides MICROS have been breached recently.

“It now appears the same allegedly Russian cybercrime gang has hit five others in the last month: Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell,” he wrote. “Together, they supply as many as, if not more than, 1 million point-of-sale systems globally.”

Hotels Remain Top Trending POS Target

In our mid-year report, the “Hotels, Motels and Cruiselines” subgroup of Consumer Goods dominated the chatter around point-of-sale breaches, and not much has changed in the two months since that report. In fact, nearly 42% of all the point-of-sale CyberFacts collected by SurfWatch Labs so far this year have fallen into that group.

2016-08-22_POS_Groups
More than 60% of SurfWatch Labs’ point-of-sale related CyberFacts collected this year fall into either the Hotels, Motels and Cruiselines or Restaurants and Bars groups.

The top trending point-of-sale target this month is HEI Hotels & Resorts, which announced a breach involving 20 hotels on August 12. The malware was discovered in June on point-of-sale systems used at restaurants, bars, spas, lobby shops and other facilities, according to Reuters. Twelve Starwood hotels, six Marriott International properties, one Hyatt hotel and one InterContinental hotel were impacted.

If those names sound familiar, it’s because several of them have already made news for data breaches of late, including Hyatt in December 2015 and Starwood in January 2016.

Other data breaches this year involving hotels include Kimpton Hotels, Hard Rock Hotel & Casino Las Vegas, Rosen Hotels & Resorts and the Trump Hotel Collection.

2016-08-22_POS_Groups_ITT

Although the various incidents that have been announced in recent weeks have not been explicitly connected by either researchers or law enforcement, the breach notice from Eddie Bauer did signify that other organizations have been targeted with a similar campaign.

“Unfortunately, malware intrusions like this are all too common in the world that we live in today,” the company wrote. “In fact, we learned that the malware found on our systems was part of a sophisticated attack directed at multiple restaurants, hotels, and retailers, including Eddie Bauer.”

Other experts such as Gartner fraud analyst Avivah Litan have speculated that the breach at Oracle “could explain a lot about the source of some of these retail and merchant point-of-sale hacks that nobody has been able to definitively tie to any one point-of-sale services provider.”

At the moment many questions remain, but if these investigations lead to the discovery of further compromises, expect to see more breach announcements and more payment card information being sold on Dark Web markets in the months to come.

Payment Transactions Face New Data Breaches and Exploits

The last few weeks have not been kind to businesses and customers concerning payment transactions and digital currency. Several point-of-sale systems and digital wallet services have come under fire for data breaches and potential financial theft — not to mention the recent theft of $68 million worth of bitcoin.

The most wide-reaching event may be the breach at software company Oracle Corp, which was reported by Brian Krebs on Monday. A Russian cybercrime group appears to be behind an attack that saw the compromise of hundreds of computers system, including a customer support portal for Oracle’s MICROS point-of-sale credit card payment systems.

This could be a potentially huge breach, as more than 330,000 cash registers around the world utilize Oracle’s MICROS point-of-sale system. In 2014, the company said that about 200,000 food and beverage outlets, 100,000 retail sites, and 30,000 hotels used the software.

It is currently unknown how many organizations were affected by the breach or how long the breach took place. The investigation is ongoing, but potential ties to the Carbanak Gang have raised the level of concern. Oracle did tell Brian Krebs that the company “detected and addressed malicious code in certain legacy MICROS systems,” and that Oracle asked customers to reset their MICROS passwords.

Digital Wallets Face Scrutiny

At last week’s Black Hat conference, a security researcher presented on a flaw in the mobile payment system Samsung Pay. Samsung Pay allows customers to save payment cards on a digital wallet, providing users the option to select the payment card of their choice with the added security of a PIN or fingerprint scan to complete a purchase.

Security expert Salvador Mendoza discovered several problems with Samsung pay, including static passwords used to protect databases, weak obfuscation, and comments in the code. Mendoza also discovered issues with the tokens that are used to complete transactions. Cybercriminals could potentially predict future tokens from studying previous tokens used to make fraudulent transactions.

“Samsung Pay has to work harder on the token’s expiration date to suspend it as quickly as possible after the app generates a new one, or the app may dispose of the tokens which were not implemented to make a purchase,” Mendoza explained. “Also, Samsung Pay needs to avoid using static passwords to ‘encrypt’ its files and databases with the same function because eventually someone will be able to reverse it.”

Samsung responded to Mendoza’s claims by saying “reports implying that Samsung Pay is flawed are simply not true.”

However, in a separate document Samsung did admit that “skimming” a token is possible, although extremely difficult.

“Samsung Pay’s multiple layers of security make it extremely difficult to make a purchase by skimming a token,” the company wrote. “This skimming attack model has been a known issue reviewed by the card networks and Samsung pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack.”

Samsung Pay isn’t the only digital wallet in the news for potential cybersecurity issues.  Venmo — a digital wallet service that allows users to interact with friends by sending money, making purchases, and sharing payments — made headlines recently for flaws that could potentially lead to malicious purchases.

A flaw in an optional SMS-based feature could allow a criminal to easily steal money from people’s accounts, according to researchers. Because Venmo allows users to charge friends through shared bill pay, that friend has to authorize the charge before payment is made. A hacker with physical access to a Venmo user’s phone could steal money from another user’s account by replying to a notification text message with a provided 6-digit code. A feature in Siri that allows users to reply to text messages from locked devices along with the iOS text message preview feature make this attack possible.

“A hacker could have sent a payment request to a targeted user, and if they had access to the victim’s locked device, they could have used Siri to send the approval code displayed on the screen, ” said Eduard Kovacs of SecurityWeek. “The maximum amount of money an attacker could have stolen from one user was $2,999.99 per week, which is the weekly limit set by the developer.”

Keeping Payments Safe

As we’ve highlighted on this blog and in recent threat intelligence reports, high-profile payment-related breaches aren’t at the forefront of cybercrime in the way they were several years ago. However, recent events prove that these payment systems — traditional point-of-sale systems, digital wallets and digital currencies — can lead to significant direct losses as well as brand damage and other consequences from the negative press generated by discovered vulnerabilities.

As SurfWatch Labs’ Chief Security Strategist Adam Meyer recently wrote, cybersecurity is largely about identifying and removing opportunity for malicious actors to do bad things — either directly or indirectly.  There are clear best practices that can be utilized by both businesses and customers to help protect sensitive payment data. Unfortunately, data is only as safe as the methods used to protect it.

Cybercriminals are constantly coming up with new methods and tricks to crack software and trick people into divulging their sensitive information. Cyber threat intelligence can help organizations remain mindful of the many new and evolving threats, identify their weaknesses, and deploy safeguards to protect data — whether that is payment-related data or other sensitive information.

 

Despite Drop In Frequency, PoS Data Breaches are Still a Threat

In 2014, point-of-sale (PoS) data breaches against mainstream retail stores like Target and the Home Depot were primary talking points in cybersecurity. In 2016, PoS data breaches haven’t garnered as much attention, with threats like ransomware and more sophisticated phishing attacks taking up the mantle of the leading concerns in cybersecurity.

Over the last two years, the amount of chatter around PoS breaches has dropped dramatically.

Point of sale chatter
The chart above shows all PoS-related CyberFacts from June 2014 – May 2016. Outside of a rise in CyberFacts starting in October 2015 the amount of chatter concerning PoS breaches has remained low. 

PoS breaches still occur, but the frequency of attacks, as well as the targets, have changed. In 2014, department stores were impacted the most by PoS data breaches. Since that time, cybercriminals have turned their attention towards hotels, restaurants and bars. In many instances, a hotel had an associated restaurant or bar’s payment system compromised. The payment card breach against Starwood properties is one example of this activity.

POS chatter by group
Cybercriminals have shifted to new targets with regards to PoS breaches. While Department Stores were a top trending target in 2014, since then, cybercriminals have shifted their efforts to breaching PoS systems at Hotels, Motels and Cruiselines. 

New EMV Standards Having an Impact on PoS Cybercrime

Back in October 2015, the United States implemented new EMV standards aimed at protecting against PoS cybercrime. Many big retail stores have adopted the technology, which has helped thwart the amount of payment card cyber-attacks against them.

There have been well-documented problems so far with EMV, from customers not having access to chip-enabled cards to retailers offering customers the option swipe their card rather than force them to use the Chip-and-PIN technology.  Perhaps the biggest problem with the EMV shift is the amount of retail companies that simply do not offer customers payment terminals that accept the new Chip-and-PIN cards.

Despite the problems, EMV has positively impacted PoS cybercrime. However, due to the increased security, cybercriminals are turning their attention to other, more lucrative attack vectors. In 2016, phishing and ransomware attacks have both trended highly.

Latest PoS Data Breaches and Malware

However, cybercriminals haven’t completely turned away from attacking payment terminals. To date, SurfWatch Labs has collected information on 23 industry targets related to PoS data breaches.

In what is probably the most recent of those breaches, security researcher Brian Krebs has reported fraudulent activity involving the Texas-based restaurant chain CiCi’s Pizza. In this event, a cybercriminal posed as a “technical support specialist” for the company’s PoS provider, which allowed access to payment card data. This social engineering technique is one way cybercriminals can circumvent EMV (assuming CiCi’s Pizza utilized these payment terminals).

The old-fashioned malware attack vector is still being utilized as well to conduct attacks on PoS systems. New variants are still being created and continue to evolve. Some of the latest PoS malware families to make headlines include:

  • TreasureHunt PoS
  • AbaddonPOS
  • Multigrain
  • FighterPOS
  • FastPOS

With EMV implementation taking place at new retail locations daily, the amount of PoS-related data breaches is bound to decrease. Protecting customers at the point of physical payment is paramount to retail operations, but organizations can do more. Social engineering and phishing attempts are among the biggest threats facing organizations today, and Chip-and-PIN won’t protect against this threat. Deploying physical security features like firewalls is obviously important, but educating employees about phishing and social engineering tactics is arguably just as important a cybersecurity strategy.