A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

June 24, 2019 • Issue 19:06:02

Cybercriminals scoring deeper, wider, faster

By Patti Murphy

Business email accounts are a burgeoning frontier for cybercriminals. And email's not the only lucrative target for today's sophisticated thieves, as demonstrated by a spate of attacks on POS systems and parties handling collections for major medical labs. Perhaps the most stunning recent development in cybercrime is the realization that blockchains – the ledgers that record cryptocurrency transactions, a technology considered to be extremely secure – are being hacked.

In January 2019, the Coinbase platform revealed it had foiled an attacker trying to steal $1.1 million in Ethereum cryptocurrency. Crypto exchanges Binance and Cryptopia were less fortunate. Binance, one of the largest cryptocurrency platforms, confirmed in May that hackers had taken more than $40 million in bitcoins, or about 2 percent of the exchange's bitcoin holdings.

Cybercriminals apparently collected Binance account credentials via phishing attacks and malware. At about the same time, Cryptopia, a New Zealand exchange, suspended trading operations and was placed in liquidation after it was discovered hackers siphoned $16 million in cryptocurrencies from the exchange.

And there's more disturbing news: Chainalysis, a New York firm that develops software for monitoring cryptocurrency transactions, reported that hacking "dwarfs all other forms of cryptocrime, and is dominated by two professional hacking groups." To date, these two gangs have absconded with an estimated $1 billion in cryptocurrencies. "And given the potential rewards, there's no question that hacking will continue; it is the most lucrative of crypto crimes," the firm wrote in a recent report.

POS vulnerabilities

Meanwhile, cyberattacks targeting credit and debit card numbers and personally identifiable information continue, albeit at a slower pace than previously. Verizon's 2019 Data Breach Investigations Report suggests EMV security is delivering dividends: compromises of credit and debit card information at POS terminals are declining. However, as anticipated, theft of payment data online is on the rise.

In May 2019, Checkers Drive-In Restaurants Inc. disclosed that malware was placed on POS systems at 100-plus Rally's and Checkers restaurants in 20 states (affecting about 15 percent of its restaurants) that may have exposed the payment card data of an undisclosed number of customers. "The malware was designed to collect information stored on the magnetic stripe of payment cards," the company said in a statement.

Word of the Checkers' attack came shortly after news that an unknown number of restaurants in the fast-food chain Huddle House had been similarly affected. "Criminals compromised a third-party point of sale vendor's data system and utilized the vendor's assistance tools to gain remote access – and the ability to deploy malware – to some Huddle House POS systems," the firm said in a statement. Like the criminals responsible for the Checkers intrusion, thieves used malware to capture information stored on magnetic-stripe credit and debit cards.

And in February, North Country Business Products, a Minnesota a firm that provides POS systems for the hospitality and grocery sectors, said its IT system had been breached, which enabled attackers to plant malware on the POS networks of more than 130 restaurants, bars and coffee shops. The malware harvested cardholder names, card numbers, expiration dates and CVV numbers, the company said.

"Point-of-sale systems are a prime target for cybercriminals because they can access a variety of businesses and customers," said Ryan Wilk, who was vice president of customer success at NuData Security until his untimely death in May of this year. "To avoid getting hit by any creative form of malware, it is essential to continuously monitor POS devices and update security patches regularly." NuData is owned by Mastercard and specializes in passive biometrics and behavioral analytics technology.

Millions of medical records breached

Although notable, the scope of these breaches pales in comparison to recent hacks involving major medical diagnostic firms. According to reports filed with the Security and Exchange Commission, a breach of American Medical Collection Agency, a third-party billing collections service employed by Quest contractor Optum360, compromised information on nearly 20 million patients over an eight-month period, ending in March 2019. SEC filings in June by Quest Diagnostic and LabCorp. indicate the intrusion exposed personal identification and client payment card information, but no medical information or lab test results.

The breaches triggered dozens of lawsuits against Quest, LabCorp and AMCA, as well as federal and state inquiries. New Jersey's Democratic senators, Cory Booker and Robert Menendez, are demanding answers from AMCA on how the breach occurred and why it took eight months to detect.

"Consumers should be able to have a reasonable expectation that, when they share their personal data with any company or its billing partner, such as AMCA, the data will be protected," the two wrote in a letter to AMCA President Russell Fuchs.

George Wrenn, founder and CEO of CyberSaint Security, said he wouldn't be surprised if similar breaches get uncovered. "The prevalence of third-party breaches, as well as the severity, is only increasing as digitization takes over modern businesses," he said, adding that businesses need to stay on top of what their third-party partners are doing to ensure security of patient data.

All these breaches come as bad news for compromised companies and open online businesses to even greater threats, because in addition to being fertile ground for hackers, online is where stolen credit card information tends to be used most.

"Attacks against ecommerce web applications continue their renaissance," Verizon said in its report. "[V]ulnerable internet-facing ecommerce applications provide an avenue for efficient, automated and scalable attacks. And there are criminal groups that specialize in these types of attacks that feast on low-hanging fruit." Cybercriminals aren't just going after data at rest, Verizon warned. "Code is being injected to capture customer data as they enter it into web forms," the company stated. It's not just payment card data the crooks are after, either. Verizon said rewards programs are being hit for the points and personal information that can be stolen.

Better IT hygiene and network security are 'table stakes'

Perhaps the most disturbing trend uncovered by Verizon, however, is a continuing rise in email phishing attacks targeting senior executives at business enterprises. These business email compromises can reap huge dividends because targeted individuals can approve payments and have privileged access to critical systems. Typically time starved, senior executives often quickly review and click on emails, making it easier for suspicious emails to slip through the cracks, researchers noted, adding that focused education on cybercrime risks is lacking at many companies.

"Technical IT hygiene and network security are table stakes when it comes to reducing risk," said George J. Fischer, senior vice president and group president at Verizon Global Enterprise. "It all begins with understanding your risk posture and the threat landscape, so you can develop and implement a solid plan to protect your business against the reality of cybercrime."

"Security needs to be seen as a flexible and smart strategic asset that constantly delivers to the businesses, and impacts the bottom line," added Bryan Sartin, executive director of global security professional services at Verizon Enterprise Solutions.

Side Note:

Some retailers spared data breach lawsuits, for now

It just became tougher for consumers in some states to pursue negligence claims against retailers when their card information is snatched in data breaches involving those retailers. In a ruling handed down May 31, 2019, the Eighth Circuit Court of Appeals affirmed lower court rulings that consumers can't pursue claims against grocery chain SuperValu Inc. just because their card information was caught up in a cyberattack on the chain. They must demonstrate monetary losses. The court also rejected an attempt to sue under the Federal Trade Commission Act, ruling that only the Federal Trade Commission can pursue actions under that act. The Eighth Circuit Court of Appeals reviews decisions rendered by U.S. District Courts across the country's midsection, including Iowa, Missouri, Minnesota, Nebraska, North Dakota, South Dakota and parts of Arkansas. end of article

Patti Murphy is senior editor at The Green Sheet and president of ProScribes Inc. Follow her on Twitter @GS_PayMaven.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing