This week, we discuss American 1 declining Wendy’s transactions for poor security, criminals using gaming currency to launder money and new strain of ransomware DXXD.
Hello and welcome to the IT Governance podcast for Friday, 14th October. Here are this week’s stories.
As you probably know, payment card security is handled by a group called the Payment Card Industry Security Standards Council, and all merchants and service providers that process, transmit or store cardholder data have to abide by the 12 requirements of the Payment Card Industry Data Security Standard (or PCI DSS). Each payment brand can fine acquiring banks for PCI DSS compliance violations, and acquiring banks can, in turn, withdraw the ability to accept card payments from non-compliant merchants – a prerogative recently exercised in the United States.
American 1 Credit Union has announced that its members’ credit and debit cards will be “temporarily declined” at all US branches of the Wendy’s burger chain following a point-of-sale malware attack last year that allowed criminal hackers to steal customer payment card information – including names, card numbers, expiration dates and security codes – from 1,025 Wendy’s restaurants. Wendy’s claims to have eradicated the malware, but American 1 members are still reporting fraudulent activity on their accounts, even when new cards have been issued – and American 1 reports that this has cost it as much as the massive Home Depot breach in 2014 did.
American 1’s CEO David Plunkett said: “When malicious cyberattacks like the recent attack on Wendy’s occur, there are many victims. Not only are the cardholders’ assets put at risk, but the financial institutions that issued the cards are left to foot the bill of any resulting theft […] Until we are confident that our members’ cards are no longer at risk when used at Wendy’s, we will continue declining the transactions.”
Although this move will do little to actually protect cards from compromise – after all, in order to be declined, a card still has to be swiped by the point-of-sale system, exposing it to any malware that might be present – this does set an interesting precedent. Being blocked from accepting card payments could cause significant damage to many organisations. Is it time to reassess your level of PCI DSS compliance?
According to a new report from Trend Micro – The Cybercriminal Roots of Selling Online Gaming Currency – cyber criminals are increasingly using video game currency to launder real money to fund their criminal operations. First, they obtain game currency, “usually by exploiting bugs and loopholes in the game or by stealing it from player accounts.” Then, they sell it through specialist forums, converting the payments into cryptocurrency to make it untraceable. As Trend Micro explains on its blog, many websites generate a very lucrative revenue stream by selling online gaming currencies for the likes of FIFA, World of Warcraft and Path of Exile.
Buying game currency, although frowned upon by many, is not illegal, and many lazy players like to stockpile funds without having to go through the effort of earning their rewards through legitimate play. However, their shortcuts may, ironically, be funding attacks on the games themselves – Trend Micro reports instances of attacks from groups such as Lizard Squad, Team Poison and Armada Collective on “enterprises, corporations, and even game servers.”
When security researcher Michael Gillespie created a decryption tool to combat a new strain of ransomware – DXXD – he wasn’t expecting the ransomware’s developer to contact him on a BleepingComputer.com support forum to tell him he’d modified the encryption algorithm. When asked about his new version, the developer claimed to be using a new zero-day vulnerability.
There’s nothing particularly remarkable about DXXD: it encrypts victims’ files, appending ‘.dxxd’ to each encrypted file. But, as BleepingComputer’s Lawrence Abrams explains, one thing that does make it stand out is the “interesting way” it displays its ransom note: it “configures a Windows Registry setting that is used to display a legal notice when people log into a computer. By configuring these registry keys, the ransomware developer knows that any a user who tries to login to the server will see the ransom note.”
Abrams urges victims not to pay the ransom – researchers are currently analysing a sample of DXXD and looking for weaknesses. A decryptor will be released for free – if a weakness can be found.
It’s US National Cyber Security Awareness Month. Week 3’s topic is “Recognizing and combating cyber crime”. The security of your company’s systems and networks depends on every employee’s ability to recognise threats. In the case of phishing attacks, staff are the ultimate line of defence. Every day, 156 million phishing emails are sent, 15.6 million make it through spam filters, 8 million are opened, and 800,000 recipients click on the links.
Ensuring your staff understand how phishing emails work and know how to distinguish them from legitimate emails will dramatically reduce the risk of your organisation becoming a victim. IT Governance’s Phishing Staff Awareness course will help you and your team understand how phishing attacks work, the tactics that cyber criminals employ, and how to spot and avoid a phishing campaign.
And don’t forget to check out our book of the month, Insider Threat: A Guide to Understanding, Detecting, and Defending Against the Enemy from Within by Dr Julie Mehan. Every type of organisation is vulnerable to insider abuse, errors or malicious attacks. This book shows how a security culture based on international best practice can help mitigate them.
Head over to our webshop to find out more.
Well, that’s it for this week. Until next time, remember that you can keep up to date with the latest information security news on our blog.
Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.