by titanadmin | Apr 19, 2017 | Industry News |
A Shoney’s Restaurants malware infection has resulted in the theft of customers’ payment card details. Hackers managed to install malware on the POS system used by dozens of Shoney’s restaurants
Shoney’s is a 70-year-old Nashville, Tennessee-based restaurant chain that operates approximately 150 restaurants across the Southern United States, Midwest and lower Atlantic region. The chain serves customers in 17 states, although only selected restaurants in Alabama, Arkansas, Georgia, Florida, Louisiana, Mississippi, Missouri, South Carolina, Tennessee and Virginia were affected. At least 37 restaurants were affected.
Financial institutions identified a trend in credit card fraud and were able to determine that all of the affected cardholders had visited a Shoney’s Restaurant. Best American Hospitality Corp., which manages and operates a number of Shoney’s establishments, was notified of a potential cyberattack and started an investigation. Kroll Cyber Security LLC was hired to conduct an investigation into the attack.
Kroll’s investigation revealed the malware enabled the attackers to steal cardholder names, credit card numbers, CVV codes, and expiry dates, although in some cases, cardholder names were not obtained. It is unclear how many individuals have been impacted, although any individual who visited one of the affected restaurants and paid by credit card has potentially had their information stolen. The malware was capable of reading data from the magnetic strips of payment cards as the information was routed through its computer system.
Access to the POS system is understood to have first been gained on December 27, 2016, although some restaurants were not infected until January 11. The Shoney’s Restaurants malware infection was contained on March 6, 2017, according to a press release issued by Best American Hospitality Corp.
The Shoney’s Restaurants malware attack is the latest is a slew of POS system breaches that have hit the hospitality sector hard. Earlier this year, the Arby’s restaurant chain was attacked and had credit card data stolen, while Wendy’s suffered a major credit card breach last year. Hotels have also been attacked, with more than 1,100 Intercontinental Hotel Group hotels discovered to have had malware installed that accessed its POS system.
Cyberattacks on the hospitality sector are to be expected. Hotels and restaurants are visited by tens of thousands of customers, and payment by credit card is common. Card details can be stolen and encoded onto magnetic strips on blank cards and used for fraudulent purchases. Each card number can allow criminals to steal hundreds, if not thousands of dollars.
All too often, data breaches occur due to poor security practices such as the failure to use strong passwords or failing to change default passwords. Other basic security failures that can open the door to attackers include failing to use web and email security products, not using two-factor authentication and not implementing security patches promptly. Businesses should also conduct regular vulnerability scans and penetration tests to ensure all of their systems are secure.
If you would like advice on web and email security protections that can prevent hackers from gaining access to your POS system and installing malware, contact the TitanHQ team today and find out how you can improve your resilience against malware and cyberattacks.
by titanadmin | Apr 19, 2017 | Email Scams, Phishing & Email Spam, Spam News |
2017 was the year when Locky Ransomware first arrived on the scene, with the ransomware variant fast becoming the biggest ransomware threat. Locky infections rose rapidly following its release in February and continued to rise in the first half of the year. The ransomware variant was initially installed via exploit kits, although as exploit kit activity fell, the developers switched to spam email as the primary attack vector.
As 2016 progressed, Locky activity declined. While Locky infections continue, it is no longer the biggest ransomware threat. Locky now accounts for just 2% of infections. A new report from Malwarebytes has revealed that the biggest ransomware threat – by some distance – is Cerber ransomware.
Cerber ransomware is now behind 90% of all global ransomware infections, with those attacks performed using many different variants of the ransomware. Cerber has even surpassed TeslaCrypt; a previously highly prevalent ransomware variant that dominated attacks in 2015 and early 2016. At the start of 2017, Cerber’s ‘market share’ stood at 70%, although that increased to 90% by the end of Q3.
The secret of the success of Cerber lies not only in the sophistication of the ransomware, but how it is being used and distributed. Cerber ransomware has become the biggest ransomware threat because it is not only the authors that are using it to attack organizations. There is now an army of affiliates using the ransomware. Those affiliates do not need programming experience and neither much in the way of technical skill. Their role is simple. They are simply distributors who get a cut of the profits for any ransoms they manage to generate.
Ransom payments are likely with Cerber infections. There is no decryptor for the ransomware as no flaws have been discovered. Files locked by Cerber cannot be unlocked without the decryption keys, and only the attackers have access to those. The encryption used is of military-grade, says Malwarebytes. Further, a computer does not even need to be connected to the Internet in order for files to be encrypted. The latest variants also include a host of new defenses to prevent detection and analysis.
The primary attack vector used is email. Cerber is distributed in spam email, with infection occurring when a user opens an infected email attachment. That triggers the downloading of Cerber from the attacker’s Dropbox account.
With the new defenses put in place by its authors and no shortage of affiliates signing up to use the ransomware-as-a-service, Cerber looks set to remain the main ransomware threat throughout Q2. Attacks will continue and likely increase, and new variants will almost certainly be released.
All organizations can do is to improve their defenses against attack. Cybersecurity solutions should be employed to prevent spam emails from being delivered to end users. Staff should be trained how to identify malicious emails and not to open email attachments sent from unknown senders. Organizations should also use security tools to detect endpoint infections.
Since even with advanced security defenses infections are still possible, it is essential that all data are backed up and those backups tested to ensure they will allow encrypted data to be recovered.
by titanadmin | Apr 18, 2017 | Email Scams, Internet Security, Network Security, Phishing & Email Spam, Spam Advice, Spam News, Spam Software, Website Filtering |
In the United States, phishing attacks on schools and higher education institutions have soared in recent months, highlighting the need for improvements to be made to staff education programs and cybersecurity defenses.
Phishing refers to the practice of sending emails in an attempt to get the recipients to reveal sensitive information such as logins to email accounts, bank accounts, or other computer systems. Typically, a link is included in the email which will direct the user to a website where information must be entered. The sites, as well as the emails, contain information to make the request look genuine.
Phishing is nothing new. It has been around since the 1980’s, but the extent to which sensitive information is stored electronically and the number of transactions that are now conducted online has made attacks much more profitable for cybercriminals. Consequently, attacks have increased. The quality of phishing emails has also improved immeasurably. Phishing emails are now becoming much harder to identify, especially by non-technical members of staff.
No organization is immune to attack, but attackers are no longer concentrating on financial institutions and healthcare organizations. The education sector is now being extensively targeted. Phishing attacks on schools are being conducted far more frequently, and all too often those attacks are succeeding.
Such is the scale of the problem that the IRS recently issued a warning following a massive rise in phishing attacks on schools. Campaigns were being conducted by attackers looking for W-2 Form data of school employees. That information was then used to submit fraudulent tax returns in school employees’ names.
Recent Phishing Attacks on Schools, Colleges, and Universities
Westminster College is one of the latest educational institutions to report that an employee has fallen for the W-2 Form phishing scam, although it numbers in dozens of schools, colleges and universities that have been attacked this year.
Phishing emails are not only concerned with obtaining tax information. Recently, a phishing attack on Denver Public Schools gave the attackers the information they needed to make a fraudulent bank transfer. More than $40,000 intended to pay staff wages was transferred to the criminal’s account.
This week, news emerged of a listing on a darknet noticeboard from a hacker who had gained access to school email accounts, teacher’s gradebooks, and the personal information of thousands of students. That individual was looking for advice on what to do with the data and access in order to make money.
Washington University School of Medicine was targeted in a phishing attack that saw the attackers gain access to patient health information. More than 80,000 patients potentially had their health information stolen as a result of that attack.
Last week, news emerged of an attempted phishing attack on Minnesota schools, with 335 state school districts and around 170 charter schools potentially attacked. In that case, the phishing attack was identified before any information was released. The attack involved an email that appeared to have been sent from the Education Commissioner. The attackers were trying to gain access to financial information.
How to Improve Defenses Against Phishing Attacks
Fortunately, there are a number of technological controls that can be implemented cheaply to reduce the risk of phishing attacks on schools being successful.
An advanced spam filtering solution with a powerful anti-phishing component is now essential. A spam filter looks for the common spam and phishing signatures and ensures suspect messages are quarantined and not delivered to end users.
It must be assumed that occasionally, even with a spam filter, phishing emails may occasionally be delivered. To prevent employees and students from visiting phishing websites and revealing their information, a web filtering solution can be used. Web filters block end users from visiting websites that are known to be used for phishing. As an additional benefit, web filters can stop individuals from accessing websites known to contain malware or host illegal or undesirable material – pornography for instance.
Those solutions should be accompanied by training for all staff members on the risk from phishing and the common identifiers that can help staff spot a phishing email. Schools should also implement policies for reporting threats to the organization’s IT department. Fast reporting can limit the harm caused and prevent other staff members from responding.
IT departments should also have policies in place to ensure thwarted attacks are reported to law enforcement. Warnings should also be sent to other school districts following an attack to allow them to take action to protect themselves against similar attacks.
Any school or higher educational institution that fails to implement appropriate defenses against phishing attacks will be at a high risk of a phishing attack being successful. Not only do phishing attacks place employees at risk of fraud, they can prove incredibly costly for schools to mitigate. With budgets already tight, most schools can simply not afford to cover those costs.
Improve Your Phishing Defenses with TitanHQ
The TitanHQ team have worked on email anti-spam solutions for schools, web filtering for the education sector, and email archiving for schools for over 20 years. We have a deep understanding of the security issues that all schools and colleges face when trying to protect students, school staff and visitors. TitanHQ has developed products to address the needs of schools and block threats such as phishing, malware, and ransomware, while ensuring compliance with federal and state laws.
TitanHQ offers schools a powerful and highly effective email security solution – SpamTitan – which blocks in excess of 99.9% of spam and 100% of known malware threats. The award-winning solution is the single-most important measure to block phishing and malware threats, the majority of which are delivered via email.
WebTitan offers safe internet browsing for children, providing protection from harmful and obscene web content whether students are studying at school or at home. Web security is available for all devices, and in addition to blocking age-inappropriate web content, will prevent access to known phishing websites and will block malware and ransomware downloads.
If you want to improve your defenses against phishing and malware in the most cost effective way possible, give the TitanHQ team a call today. Both solutions are available to schools and other educational institutions on a 30-day 10% free trial, which will allow you to see for yourself the difference each makes and why so many schools have already implemented these solutions.
by titanadmin | Apr 13, 2017 | Email Scams, Network Security, Phishing & Email Spam, Spam Advice, Spam Software |
A phishing attack on a HIPAA-covered entity has resulted in a $400,000 penalty for non-compliance with HIPAA Rules. This is not the first time a phishing attack has attracted a penalty from OCR for non-compliance.
The failure to prevent phishing attacks does not necessarily warrant a HIPAA penalty, but failing to implement sufficient protections to prevent attacks could land HIPAA-covered entities in hot water.
HIPAA Compliance and Phishing
The U.S. Department of Health and Human Services’ Office for Civil Rights is tasked with enforcing Health Insurance Portability and Accountability Act Rules. While OCR conducts audits of covered entities to identify aspects of HIPAA Rules that are proving problematic for covered entities, to date, no financial penalties have been issued as a result of HIPAA violations discovered during compliance audits. The same is certainly not the case when it comes to investigations of data breaches.
OCR investigates each and every data breach that impacts more than 500 individuals. Those investigations often result in the discovery of violations of HIPAA Rules. Any HIPAA-covered entity that experiences a phishing attack that results in the exposure of patients’ or health plan members’ protected health information could have historic HIPAA violations uncovered. A single phishing attack that is not thwarted could therefore end up in a considerable fine for non-compliance.
What HIPAA Rules cover phishing? While there is no specific mention of phishing in HIPAA, phishing is a threat to the confidentiality, integrity, and availability of ePHI and is covered under the administrative requirements of the HIPAA Security Rule. HIPAA-covered entities are required to provide ongoing, appropriate training to staff members. §164.308.(a).(5).(i) requires security awareness training to be provided, and while these are addressable requirements, they cannot be ignored.
These administrative requirements include the issuing of security reminders, protection from malicious software, password management and login monitoring. Employees should also be taught how to identify potential phishing emails and told about the correct response when such an email is received.
The HIPAA Security Rule also requires technical safeguards to be implemented to protect against threats to ePHI. Reasonable and appropriate security measures, such as encryption, should be employed to protect ePHI. Since ePHI is often available through email accounts, a reasonable and appropriate security measure would be to employ a spam filtering solution with an anti-phishing component.
Given the frequency of attacks on healthcare providers, and the extent to which phishing is involved in cytberattacks – PhishMe reports 91% of cyberattacks start with a phishing email – a spam filtering solution can be classed as an essential security control.
The risk from phishing should be highlighted during a risk analysis: A required element of the HIPAA Security Rule. A risk analysis should identify risks and vulnerabilities that could potentially result in ePHI being exposed or stolen. Those risks must then be addressed as part of a covered entity’s security management process.
HIPAA Penalties for Phishing Attacks
OCR has recently agreed to a settlement with Metro Community Provider Network (MCPN), a federally-qualified health center (FQHC) based in Denver, Colorado following a phishing attack that occurred in December 2011. The attack allowed the attacker to gain access to the organization’s email accounts after employees responded by providing their credentials. The ePHI of 3,200 individuals was contained in those email accounts.
The fine was not exactly for failing to prevent the attack, but for not doing enough to manage security risks. MCPN had failed to conduct a risk analysis prior to the attack taking place and had not implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. OCR settled with MCPN for $400,000.
In 2015, another covered entity ended up settling with OCR to resolve violations of HIPAA Rules following a phishing attack. University of Washington Medicine paid OCR $750,000 following the exposure of 90,000 individual’s ePHI. In that case, the phishing attack allowed attackers to install malware. OCR Director at the time, Jocelyn Samuels, pointed out “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.” She also said, “All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical records or that fails to provide appropriate oversight and accountability for all parts of the enterprise.”
Covered entities are not expected to prevent all phishing attacks, but they must ensure the risk of phishing has been identified and measures put in place to prevent phishing attacks from resulting in the exposure of theft of ePHI. If not, a HIPAA fine may be issued.
by titanadmin | Apr 12, 2017 | Internet Security, Network Security, Phishing & Email Spam, Spam News |
Microsoft has finally patched a zero-day vulnerability in Microsoft Word that has been exploited by cybercriminals for months. Recently, the vulnerability has been exploited by the gang behind the Dridex banking Trojan.
The remote code execution vulnerability (CVE-2017-0199) affects the Windows Object Linking and Embedding (OLE) application programming interface. The vulnerability is a logic flaw rather than a programming error, which makes defending against attacks difficult.
The bug affects RTF files. The spam email campaigns use RTF files containing an embedded OLE2Link object, which downloads an HTA (HTML Application) file containing malicious code when the document is opened. No user interaction other than opening the file is required to infect the end user’s device.
There is some debate as to how long the vulnerability has been actively exploited in the wild. Attacks may have been occurring as early as November 2016 according to SophosLabs, although certainly since the start of 2017. Over the past two months, the vulnerability has been extensively exploited to deliver the Dridex banking Trojan.
The zero-day vulnerability in Microsoft Word has been exploited for espionage purposes in Russian speaking countries, while FireEye observed the exploit being used to distribute Latentbot malware. Latentbot is an information stealer with the ability to corrupt hard drives.
Many security companies have been tracking the vulnerability, although it was McAfee that announced the existence of the actively exploited flaw on Friday last week. The flaw exists in virtually all Microsoft Word versions and does not require macros to be enabled in order for malicious code to run.
Employees are advised never to enable macros on documents unless they are 100% certain that a document is legitimate; however, this zero-day exploit does not rely on macros. Simply opening the Word document on an unpatched Office installation is likely to result in infection.
This makes the vulnerability particularly dangerous. Any end user that opens a specially crafted Word document would automatically run the code which would see the Dridex Trojan (or another malware) downloaded. One protection that can prevent the malicious code from running is to enable Protected View mode. However, the code will run when Protected View is turned off.
The malicious emails sent out in at least one campaign have the subject line “scanned data” with the RFT file attachments containing the word ‘scan’ followed by a random string of numbers, according to Proofpoint.
To protect against this exploit, the patches for both Office and Windows that were released by Microsoft on Tuesday April 11, 2017 should be applied. However, in order to apply the security update, Service Pack 2 for Office 2010 must be installed.
If it is not possible to apply the Microsoft updates immediately, you can configure your spam filter to block RTF files or add RTF files to the list of documents to block in the Microsoft Office Trust Center.
