The fashion retailer Forever 21 confirmed a breach involving unauthorized access to data from payment cards used at an undisclosed number of its stores due malfunctioning encryptions on POS devices.
The Los Angeles-based company said the probe focused on transactions made at its stores between March and October this year. Since the investigation continues, the company, which operates more than 815 stores in 57 countries, did not reveal the stores affected.
“With its endless POS endpoints, the retail industry has always been a desirable target for cybercriminals. They know that if they can introduce malware into POS networks, they can make a decent amount of cash by selling credit card numbers on the dark web,” Mark Cline, a VP at Fort Lauderdale, Fla.-based Netsurion, a provider of managed security services for multi-location businesses, said. “With their millions of customers, large retailers, like Forever 21, have typically been the hardest hit. Companies must pay up to $172 per stolen record in clean-up costs. A major retailer just paid $18.5 million to address the impact of its 2013 hack, which resulted in 41 million stolen credit cards.”
Cline suggested if retail businesses should protect themselves from POS malware, ransomware and other threats—especially as we move into the holiday shopping season. They may be running anti-virus software and managed firewalls, but may not run active monitoring and threat detection including vulnerability scans, updating all operating system and software upgrades and patches immediately, setting up next-generation security systems and firewalls; and using a security information and event management applications to analyze all of the organization’s data.
Meanwhile Google and Berkeley researchers revealed in a new whitepaper, hundreds of millions of usernames and passwords traded on black markets can access Gmail accounts.
The study employed Google’s proprietary data as a case-study to see if stolen passwords and other accounts traded on hacker forums and the dark web work on real accounts. “We present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users.” From March, 2016-March, 2017, researchers identified 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on black-market forums. They found find 7-25% of exposed passwords matched a victim’s Google account.
“The Google report, will help to bring much needed awareness to the more covert and silent threat, that often gets drowned under the noise of ransomware coverage.” Andy Norton, director of threat intelligence at the Redwood City, Calif.-based Lastline. “Very often, organizations are unaware of the capability of threats in their environment.”
Norton noted threat actors behind keyloggers use packing and cryptographic protection to hide or change the signatures of the payload file. This type of evasion causes two problems for organizations: existing defenses are unable to stop the attack during the delivery phase, and upon discovery of the attack, antivirus often issues a heuristic, or generic detection of the file, that does not provide actionable intelligence highlighting the stolen credential functionality in the infection. “The default approach is to remove the threat or simply re-image the victim device.” Norton added, credentials already exfiltrated do not change extensively as part of the default remediation process. This leaves the organization vulnerable to credential based attacks in the future.
Google’s also announced plans to thwart malvertising with three new Chrome security features developed to block websites from stealthily redirecting users to new URLs without the user or website owner’s consent. The first security update should arrive at the end of January 2018 and blocks URL redirects via inline frames. Later, Chrome will block tab-under behaviors and misleading user interface elements.
“Malvertising represents a continual risk to organizational safety, especially when normally safe websites, which are not inspected by traditional web security tools become compromised by malverts delivering exploit kits, Norton said. “This is why more and more organizations are turning to real-time dynamic content inspection platforms of both web and email traffic to ensure satisfactory levels of risk.”
