There have been numerous high profile data breaches within the past few months to include companies such as Home Depot, Dairy Queen, Lowes, Goodwill Industries and Jimmy Johns. The commonality between these organizations is that they were all Point of Sale (PoS) breaches. Malware was planted within the PoS syststem that enabled credit card data to be stolen from unknowing customers at checkout.
While state laws mandate disclosure of certain breaches, the manner in which a breach occurs is generally not part of the disclosure. The most recent round of PoS breaches have been blamed on 3rd party vendors that supply the PoS hardware and software with speculation that all began due to a compromise of login credentials.
Unfortunately most breaches go on for months with the compromised organization being notified by law enforcement and not their internal security or IT staff. In the case of the Backoff malware used to compromise PoS systems the virus was detected in October 2013 however antivirus products did not identify it until August 2014. The United States Secret Service currently estimates that over 1,000 US businesses are affected.
One frequent way in which these types of compromises commence and login credentials are compromised is through social engineering. While there are ways to reduce the impact of lost or compromised credentials we want to focus on the threat imposed by social engineering.
Social engineering is the art of manipulating individuals to divulge confidential information such as passwords, account information, or to allow the attacker to gain control over their computer. The goal of the fraudster is to secure a foothold into the target organization before the target has had an opportunity to think. An adept social engineer relies on an individual’s innate trust in order to garner the information they are after. Depending on the organization, it is generally easier to socially engineer a foothold then to exploit technical vulnerabilities.
Social exploits can come in the form of an email, text message, phone call or otherwise. Messages may have malicious content sent as attachments that contain malware. In other cases the target might click on a embedded link in a message that downloads malware or requests confidential information such as network login credentials, banking information or personal and private information such as DOB, SSN, etc. Common scenarios often used to bait targets includes being told they have won something, their computer needs repair, a friend is in need, or a charity is looking for support.
During this year’s Social Engineering Capture the Flag (SECTF) competition at DEF CON 22, nine teams placed cold calls into a variety of large retailers including Home Depot, CVS, Costco, Lowe’s, Macy’s, RiteAid, Staples, Walgreens, and Walmart to glean confidential information. According to an article covering the event none of the retailers did well enough to pass.
Prior to the competition each team scoured public records from open source information databases to assist each team to understand the target company better and devise its approach. One team discovered that a retailer’s public website contained a portal to its corporate intranet. This portal connection provided access to the internal network without employee credentials. In addition the website itself contained an online instructional document on how to access the intranet with a sample login username and password that was functional. Once the team discovered this information they went no further. Unknowing the company had created a major vulnerability that left the door open for hackers to further exploit their internal systems.
Does your IT department have the ability to recognize serious architectural flaws which could lead to hacking? Are third party resources engaged to review your security posture on an ongoing basis? How well does your company prepare its employees to recognize potential social engineering attacks? Are employees prepared to resist the temptation to click on links when a prize has been offered or a fraudulent email advises that their login credentials need to be updated, or question a caller posing as an IT worker, BEFORE acting? It only takes one employee to slip for the organization to fall prey to a social engineering attack that could result in a serious breach. Training must be provided on an ongoing basis if the organization is to withstand a targeted attack.
Network Management Solutions has been assisting organizations to build, monitor and protect their information assets since 1996. Please contact us for further information and assistance.