Regarding cyber security, first here’s the good news: In its first quarter 2019 Cyber Crime and Techniques Report, internet security company Cyber Malwarebytes indicates that malware attacks against individuals dropped in excess of 40 percent when compared to the first quarter of 2018.
Now the (really) bad news: The same report indicates that attacks against small and medium sized businesses enterprises rose by more than 200 percent, with attacks from ransomware rising by 195 percent and Trojan attacks by well over 200 percent. One area of notable exception was the declining rate of crypto mining attacks, as the use of electronic currencies, such as the Bitcoin, have declined.
These numbers should set off alarm bells for any small and medium-sized business, including those in the natural products industry. This article will provide some basic information about the nature of cyber threats in general: a description of some of the malware specifically targeting small/medium sized businesses, and several illustrative examples of specific attacks targeted at retail enterprises in the recent months. Hopefully, this information will help prompt businesses to take action and protect themselves against cyber criminals.
The first step to protecting your business is having a basic understanding of the different types of threats that exist in the cybersphere. Some of the most common types of dangers come from the following broad categories:
Malware – Includes a variety of forms of hostile or intrusive software, e.g., computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware and other malicious programs. It can take the form of executable code, scripts, active content and other software.
Virus - Malicious software that, when executed, replicates by reproducing itself (copying its own source code) or infecting other computer programs by modifying them. Viruses often perform some type of harmful activity on infected host computers, such as acquisition of hard disk space or central processing unit (CPU) time, accessing private information (e.g., credit card numbers), corrupting data, displaying political or humorous messages on the user’s screen, spamming their email contacts, logging their keystrokes (access to passwords).
Trojan Horse - A malicious computer program designed to hack into a computer by misleading users of its true intent. The user is tricked into installing the program themself (email attachment, bogus link on a innocuous website). They frequently create a backdoor, contacting a controller, which can then provide unauthorized access to the affected computer. These programs allow cyber-criminals to access users’ personal information, such as banking information, passwords, or personal identity (IP address).
Ransomware - Malware installed covertly on a victim’s computer executes a program that adversely affects the target’s functionality and demands a ransom payment to restore it. Usually encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. The ransomware may encrypt the entire hard drive or just critical files. This is a denial-of-access attack that prevents computer users from accessing files without the decryption key. Ransomware attacks are typically carried out using a Trojan that has a payload disguised as a legitimate file. Many retailers simply pay the ransom and move on rather than disclosing the breach to their customers out of fear of losing business. Incidents of ransomware attacks on retailers seem to be slowing as even new forms of malware emerge.
Formjacking – Involves the insertion of a small piece of malicious code (a computer program) into a system that handles credit card transactions. This code allows cyber criminals to credit card information much the same way that skimmers steal information from a physical card when it is inserted into a reader. Just like a skimmer, there is no way for the consumer to know that their information is being stolen; the transaction is completed as if nothing is wrong, except now it is also in the hands of the bad guys and available for sale on the “dark web.”
How Does this Software Get Into My System?
Malware of any kind can be unintentionally and unknowingly downloaded when visiting malicious or infected/compromised websites. It can also get into a system through other malware inserted onto a single user’s computer or, more commonly, downloaded by an unwitting user opening an attachment to spam email. Each one of these routes of attack relies on lack of discipline by curious computer users and highlights the need for organizations to educate employees to understand the need to exercise care in visiting websites and opening suspicious email attachments, or avoiding anything that just does not seem right.
Even in those instances where you or your employees exercise extreme caution, malware can penetrate your computers. One of the more notorious ransomware attacks occurred in May, 2016, when employees at the quasi-governmental office of Richmond (Virginia) Region Tourism received a seemingly innocuous email with an attachment from Amazon.com. Several employees immediately deleted the message. One person who had coincidentally placed an order with Amazon the day before opened the attachment and opened the door to the office’s computer system to a serious malware attack. Within 30 minutes, every file on the office’s system was locked. Every attempt to access the system only caused a ransom message to appear on the user’s screen. Typical of this kind of attack, the message started off with a relatively modest demand for payment along with a promise to erase the entire system if the ransom demand was not met prior to a countdown clock expiring. The ransom demand increased as the clock came closer to running out. Rather than pay, Richmond Region Tourism called in a computer security firm that worked to isolate the attack and assisted in restoration of the locked files from a backup system. The total cost of this attack was estimated at $2,500—a potentially devastating loss for a small business.
Recent Attacks on Retailers/Consumer Companies
A review of these recent attacks will show that the most common vulnerabilities are associated with payment systems. It is imperative that any retailer who accepting credit cards or any other form of electronic payment take all feasible precautions to protect their business from cyber criminals. Indeed, a recent report published by cybersecurity firm Shape Security suggests that 80 to 90 percent of traffic on retail websites consists of hackers seeking customers’ financial information.
Earl Enterprises – In late March, the Corporate parent of Buca di Beppo restaurants, Planet Hollywood, Earl of Sandwich, Guy Fieri’s Chicken Guy!, Los Angeles, CA-based Mixology 101 and Las Vegas, NV’s Tequila Taqueria disclosed that it had been subject to an data breach attributed to the malware surveillance program Davinci, resulting in the exposure of the credit card information of more than two million customers at its restaurants. The malware resided in the various restaurants’ point-of-sale payment systems and collected information from customers between May 23, 2018 and March 18, 2019.
Jared and Kay Jewelers – In December, 2018, Signet Jewelers, parent company of Kay and Jared, announced that it had fixed a flaw in the company’s website that allowed customers’ orders to be exposed with a simple alteration to a link in the email sent to confirm orders placed by others. The information exposed included the items ordered, cost, address to which they were shipped and the last four digits of the credit card used to pay for the order. After initially being told of the flaw by a customer in November, Signet addressed the problem for all orders going forward. It was not until several weeks later that the problem was fixed for past orders.
Uniqlo – This fast-growing Japanese owned clothing retailer was the victim of a major criminal attack lasting from April 23 to May 10, 2019. According to the company, in excess of 460,000 customers’ personal information was exposed to third parties during this time and “partial” credit card information may have been disclosed. Customers have been asked to create new, more difficult, passwords for their online accounts.
While these examples of criminal attacks on retailers involve large chains, Symantic’s annual Internet Security Report indicates that small- and medium-sized businesses remain the leading target for formjacking schemes. Incredibly, Symantic estimates that approximately 4,800 sites a month are targeted for formjacking, representing an extremely serious threat to businesses and their customers.
Becoming aware of these threats is the first step to being able to protect your business and its customers. This knowledge should arm the retailer with the information necessary to seek out expert help in developing programs to ensure that employees practice good cyber hygiene (don’t open suspicious emails, don’t surf on suspicious sites, don’t bring outside drives to use on business systems, etc.) and to question service providers on the security measures they utilize. Retailers should also take steps to monitor how transactions are processed. Even more importantly, ensure that all software on your systems is up to date; the most frequent cause for these updates is to make sure that end-users have the most current security patch available.
Even businesses that do all of these things cannot make themselves 100 percent secure; cyber criminals are clever. But, taking these basic first steps can go a long way to protecting you and your customers. VR
Marc S. Ullman represents clients in matters relating to all aspects of Food and Drug Administration and Drug Enforcement Administration matters, regulatory issues, Federal Trade Commission proceedings and litigation. He practiced with one of New York’s leading white collar criminal defense firms for ten years, where he represented clients in both federal and state prosecutions, as well as numerous related civil matters and other litigations. He can be reached at email@example.com.