More than 850 Wawa convenience stores and gas pumps had malware in payment processors that potentially compromised customers’ credit and debit card numbers, expiration dates, and cardholder names, the company announced. Wawa CEO Chris Gheysens wrote that Wawa’s security team discovered the malware on Dec. 10 and contained it two days later, but that the data breach began in March 2019. It was only a matter of days before at least six lawsuits—seeking class-action status—were filed in federal court in Philadelphia.
It’s been a bad year for data breaches, according to a new report by Risk Based Security. “Whether it’s a phishing campaign that ultimately provides malicious actors with a toehold into systems or misconfigured databases and services that leave millions of sensitive records freely available on the internet, it seems to be human nature coupled with weak controls that contributed heavily to the number and severity of breaches we’ve seen this year,” wrote Inga Goddijn, executive vice president at Risk Based Security.
The announcement by Pennsylvania-based Wawa did not identify how hackers infected their payment systems. Experts say it’s typical for attackers to access computer systems with “phishing” emails that dupe employees into downloading malware. “Hackers don’t attack computer code. Hackers attack user gullibility,” Michael Levy, former chief of computer crimes at the US Attorney’s Office for the Eastern District of Pennsylvania, told the Philadelphia Inquirer.
Phishing attacks are on the rise, according to a new report by Wombat Security Technologies, State of the Phish. “The threat of phishing attacks is real. News headlines and numerous studies have proven that phishing attacks are on the rise, and our survey of security professionals showed the same,” the report states. “Not only are more organizations reporting being the victim of phishing attacks, but the number they are experiencing has gone up. Attackers are becoming more sophisticated and varied in their approach, using multiple threat vectors.”
Phishing emails that mimic expected work emails are particularly effective, warned the firm. In one simulated phishing email test, with a subject line of “Urgent Email Password Change,” garnered a 28 percent click rate. “Users were most likely to click on attachments and messages they expected to see in their work inboxes, like an HR document or a shipping confirmation,” according to the company’s report.
Among the types of emails employees should be made particularly aware of include:
- Technical emails, in which malicious links are disguised in error reports and bounced email notifications. A “Delivery Status Notification Failure” is a popular example, according to the firm.
- Corporate emails scams that are designed to look like official corporate communications, such as benefit enrollment messages, invoices, and communications about confidential human resources documents.
Increased specificity in phishing attacks has been noted in recent annual reports by Verizon Enterprise Solutions. “Attackers are getting much more specific and focused on where they are aiming,” according to Mike Denning, vice president of global security. “In the past, attackers used a tactic often known as ‘spray-and-pray’ where they would attack very broadly with the hope of hitting something. The specifics of the targeting are now getting much more refined.” Hackers’ target list increasingly includes high-level individuals with access to privileged information, such as a company’s CFO, director of HR, board members, and so on. Between 70 to 90 percent of malware samples are now unique to a specific organization, notes the company’s Data Breach Investigations Report.
When an attack is highly targeted and customized to a particular organization, it becomes harder to identify and can be difficult to recognize as something suspicious, note analysts in Deloitte & Touche’s Cyber Risk Services division. The advice: assume that some of these attacks are going to be successful to some degree, and plan accordingly; be prepared to react quickly and effectively to minimize the business impact of successful hacks.
In addition to social engineering awareness training of employees, security teams at large organizations can also take proactive steps to assess vulnerability and address deficiencies, according to Nathan Drier, a security consultant and ethical hacker at Trustwave. Conducting very basic tests of security defenses can often prove enlightening, he suggested. Some examples:
- Pretend to be from a trusted third-party vendor and send an email asking end users to open an attached file or visit a particular ‘malicious’ website.
- Send out an email telling employees that IT has upgraded them to a newer version of their external webmail service (people who log-in thus provide hackers with usernames and passwords).
- Drop infected USB thumb drives on the ground where employees park. Track how many are used.
- Check for the ability to access location dumpsters and take samples for analysis. Vendor information, passwords, usernames, proprietary lists, network information, and other valuable data can sometimes end up there.
- Call your organization and express an interest in a particular job and see if you can get asked to send in a resume. Send it in and see if recipients open the attached malware-infected file.