This is a security alert for all TruShield clients, the restaurant industry, the retail industry, and the community at large. TruShield has learned of new details in point-of-sale data breaches.
As we reach mid 2016 breaches have steadily continued across a wide variety of industries. Recent weeks have revealed several leaks of credentials from networking sites Myspace, Tumblr, Twitter, and more, along with an increase in scope of the 2012 LinkedIn breach. A mounting total in hundreds of millions of users even found Mark Zuckerberg among the growing list of victims, exemplifying the need for complex and unique passwords. On the heels of these concerns come more details of point-of-sale (POS) data breaches, especially within the restaurant industry. The first of which is related to the Wendy’s data breach reported early this year, while the second appears to be breach activity at CiCi’s Pizza.
Originally revealed in January, the Wendy’s data breach became even more concerning this past week when the well-known fast food restaurant released a company statement that indicated a large increase in total affected locations. This major increase was attributed to discovery of an additional POS malware strain that infected other locations and went unnoticed until recently. This is reminiscent of activity described in our post a few weeks ago involving POS malware threats AbaddonPOS and TinyPOS. The POS breach activity at CiCi’s Pizza was recently discovered and reported by Brian Krebs and other outlets a little over a week ago. This activity appears to be ongoing and has yet to be completely verified or acknowledged by the company, but several people have indicated their card data was compromised on the same day they ate at CiCi’s Pizza. Even more recently, these compromised POS systems appeared to be part of a larger botnet of POS systems, possibly linked to infection by the Punkey malware.
If information from statements are correct, then both breaches have a unique link in terms of the attack vector. It is believed that both involved social engineering and tactics often seen in tech support scams. These are typically employed on home users and target people who are less computer savvy. The attackers attempt to convince users that there is a problem with their device and ask for access or credentials in order to establish access via remote programs like TeamViewer, sometimes in search of personal data. In these instances, the access appears to have been used to install POS malware.
This recent wave of leaks, including breaches of payment card details are sobering and costly reminders to both businesses and consumers alike. Businesses need to ensure that they have invested not only in the technological side of security, but also in training employees about how to recognize social engineering. Employees need to be able to determine if a person is not authorized to access a system, otherwise these kinds of attacks will always have a chance of success. As for consumers, they need to protect themselves by always keeping a close eye on transactions, choosing credit transactions rather than debit when possible, and favoring retailers with chip and pin technology that is fully implemented over those that still expose data with outdated POS systems.
Mitigation and Prevention
- Train employees to recognize social engineering tactics.
- Enable EMV and/or point-to-point encryption solutions on POS terminals.
- Carefully guard credentials and access to POS terminals.
- Restrict installation and use of remote access tools.
- Use updated antimalware and antivirus products.
- Use application control software with a base deny policy on executables.
- Isolate infected systems from the network.
- Monitor systems for registry or file changes.
- Keep systems patched with the latest updates.
- Continuously monitor network traffic for C&C activity.