retail

Black Friday, Cyber Monday scams are on the loose, businesses need to prepare

Consumers
stumbling to the couch in a turkey-induced coma with their laptop or phone in
hand ready to hit the cyber-holiday sales are not alone in being targeted by
cybercriminals.

Retailers and
businesses also may be affected by the dramatic increase in malicious threats that
target shoppers looking for buys on Black Friday and Cyber Monday. This can
include being hit with ransomware and having to make the decision whether or
not to pay up or risk losing sales during the busiest shopping period of the
year.

For
retailers much of the damage done may be to their reputation as malicious actors
generate hundreds of brand and website-specific email scams and fake websites
designed to confuse and entice anxious shoppers.

A study by
Zerofox’s Alpha Team has already identified 61,305 potential scams spread across
26 brands. Brick and mortar retailers are the primary focus with 92 percent of
the campaigns spotted using a store brand in some manner.

“Scammers
likely target brick and mortar retailers in such high quantities because these
kinds of scams will be attractive to a larger pool of consumers and thereby
potential victims. Fewer consumers are in the market for luxury goods and high-end
jewelry than are shopping at large brick and mortar stores that appeal to
multiple price points. Brick and mortar stores also carry a wide range of
goods, from electronics to jewelry, versus stores that only sell one kind of
good,” the report
stated.

The threats
are generally centered on email campaigns that use the one lure every shopper
is interested in, something for nothing. This is usually in the form of a gift
card or coupon, but to obtain these items the shopper/victim is required to
enter some level of information, at the very least an email or physical
address.

The
permanent members of Santa’s naught list also use social media to attract victims.
This is done by creating fake accounts and then loading posts with hashtags
designed to catch a shopper’s eye, such as #blackfriday or #cybermonday.

Some of the
more technical threats involve typsquatting or  creating domains based on popular shopping
sites like Amazon, Apple and Target.

“ZeroFOX
Alpha Team found 124,000 domains that contain the brand name out of the list of
26 selected for this report. The team filtered the 124,000 domains by
Certificate Issuer for legitimate domains,” the security company said.

Source: Zerofox

The massive
uptick in internet traffic also presents an opportunity for attackers and a
danger to corporate entities whose workers may use either company equipment or
its network to make purchases. Tim Erlin, vice president of product management and strategy at Tripwire,
cited a recent Tripwire Twitter survey that found 84 percent of security
professionals are concerned there is not enough security awareness for
consumers to keep them safe online during the holiday shopping season.

“For
businesses, there are two ways to look at cyber risks around Black Friday. The
first is that, simply because it’s a busier time and more money is flowing
through their systems, attackers will be more likely to target them, hoping for
the busyness to serve as a diversion. The second way to look at it is from an
employee perspective: staff may be shopping online from business-owned assets,
thus potentially opening them up to Black Friday scams. For this reason, it
would be worth it for business to focus on education and training on how to
recognize scams and phishing attempts,” Erlin said.

Then there
are the direct threats to business. A retailer, delivery company or distributor’s
worst fear is not being able to operate during this time.

“Ransomware
and other types of malware are also a concern for businesses around this time
of the year. Those that are targeting the business itself ultimately just want
the organization to pay the ransom, which can be avoided by having good
incident response measures in place and secure, up-to-date backups,” Erlin
said.

In addition
to being shut down another huge potential headache is discovering credit card
skimming malware like Magecart residing in a chain’s POS system, noted a Sucuri
study. It could also mean a retailer could be held liable for any fraudulent charges
made on a customer’s card in cases where the cards was not present for the
purchase.

“New
consumer habits, such as buy online, pick up in store (BOPIS), now allow
customers to pick up products at a physical locations after purchasing them on
the retailer’s website – so these transactions become classified as
card-not-present. Unfortunately,
there are still retail merchants that have little to no authentication process
for in-person pickups, making them likely targets for abuse due to a lack of
security controls,” Sucuri said.

There are steps e-commerce
sites and retailers with an online presence can take to protect themselves not only
during the holiday season, but all year long, said Kaspersky.

  • Use
    a reputable payment service and keep your online trading and payment platform
    software up to date. Every new update may contain critical patches to make the
    system less vulnerable to cybercriminals.
  • Use
    a tailored IT and cybersecurity solution to protect your business and customers.
  • Pay
    attention to the personal information used by customers who buy from you. Use a
    fraud prevention solution that you can adjust to your company profile and the
    profile of your customers.

The post Black Friday, Cyber Monday scams are on the loose, businesses need to prepare appeared first on SC Media.

Fin7 behind DiBella’s data breach affecting 305,000 cards

Fifteen
months after DiBella’s Old Fashioned Submarines was notified by the FBI and
credit card companies of a data breach the sandwich shop chain has issued a
notice informing its customers of the incident.

The company
reported its stores in Connecticut, Indiana, Michigan, Ohio, New York and
Pennsylvania may have had the information on as many as 305,000 payment cards
compromised. DiBella’s said it was informed by the FBI and its credit card
firms on August 27, 2018 of the data breach and that Fin7 were the likely
actors behind the attack gaining access to the company’s payment card data and
computer system.

The majority
of the locations were victimized between March 22, 2018 and December 28, 2018
with its Cranberry, Penn. store possibly being hit as early as September 2017.
The customer data involved included individual names, payment card numbers,
expiration dates, and CVV numbers, DiBella’s
stated
.

DiBella’s
has not yet returned an SC Media inquiry into why the company waited until now
to disclose the issue.

The company
does not know which individuals were impacted and said it has not received any
customer complaints about their payment cards being misused. But it is warning
anyone who visited the locations in questions to  

The leaders
behind FIN7,
aka the Carbanak gang, were caught by law enforcement starting in January and
June of 2018. In August 2018 the U.S. Department of Justice made public arrests
of the three Ukrainian men who allegedly were key players in the cyber gang. However,
the arrests did not stop other members of the gang from continuing their activities.

The security
notice said the malware found on the company’s system ties the attack to Fin7.

The post Fin7 behind DiBella’s data breach affecting 305,000 cards appeared first on SC Media.

Catch NYC, Catch Steak hit with payment card skimming malware

Our Services

A solution for every security need

Solutions for every need

Whether you’re a global company or a local business, you have one thing in common: important information that’s at risk of a security breach. IT Security.org services help you overcome challenges specific to your business—whether that’s making you compliant with the latest regulations or designing your security framework. Take a look at our services to see how we can help you today.

compliance

Assess your organization against UK, EU and US legislation and regulations: GDPR, PCI-DSS, ISO27001, Money Laundering, Sarbanes-Oxley.

GDPR Compliance
ISO27001 Compliance
PCI-DSS Compliance
ISO22301 Business Continuity Compliance
ISO29100 - Privacy Compliance

Data protection

Assess your Data Protection environment against recent regulatory and legislative requirements including GDPR.

Virtual Data Protection Officer
Data Security Services

IDENTITY & ACCESS

Ensure that the right individuals to access the right resources at the right times and for the right reasons.

IAM Design
IAM Policies, Standards, Procedures And Guidelines

Incident Management

Provision of Incident Management Services to your organisation including personnel, policies, standards procedures and guidelines in line with International Standards and Best Practice.

Emergency Incident Response
Forensic Support
Incident Response

INFORMATION SECURITY

Our Consultants are able to lead and deliver any aspect of Information Security.

Emergency Incident Response
Forensic Support
Incident Response

IT Risk Management

ITSecurity.Org can deliver to you a complete risk management framework in line with ISO27005 through to identifying areas of potential risk and designing a customized, complete security solution.

Risk Management Framework
Auditing
Risk Acceptances And Waivers

IT Security Consulting

Whatever your IT Security requirements, ITSecurity.Org can lead and deliver with our experienced IT Security Consultants.

IT Security Governance Services
IT Security Policies And Standards

additional security

ITSecurity.Org have consultants that have extensive experience and expertise in providing the following security services.

Risk Management Framework
Auditing
Risk Acceptances And Waivers

physical security

Physical Security is the first line of defence. ITSecurity.Org is proud to be able to offer the following Physical Security Services.

IT Security Governance Services
IT Security Policies And Standards

policies & standards

ITSecurity.Org provide a wide range of services covering policies and standards throughout their lifecycle including: Framework, Initial risk assessment, creation and authoring, review, compliance and gaps assessments, checklists, evangelising, training and publishing.

IT Security Governance Services
IT Security Policies And Standards

Programme & Project

ITSecurity.Org have consultants that have extensive experience and expertise in leading, delivering and supporting all sizes of Security Initiatives including International and Enterprise-wide Security Initiatives.

Risk Management Framework
Auditing
Risk Acceptances And Waivers

risk management

ITSecurity.Org can lead and deliver an International Standard of Risk Management for you ISO27005. Or do you have a more internal focus? Do you need a Risk Management tool such as Abriska setting up or a risk framework that needs to be created?

IT Security Governance Services
IT Security Policies And Standards

security awareness

Ensure that you instil a security culture within your organisation. We offer and ensure bespoke security awareness courses and training. We guarantee the best fit with your particular organisation.

IT Security Governance Services
IT Security Policies And Standards

security design

ITSecurity.Org can provie for all All Security Design and Architectural Services Security Design and Architecture.

Risk Management Framework
Auditing
Risk Acceptances And Waivers

security metrics

ITSecurity.Org can deliver the Security Metrics that your business needs in line with ISO27004. From specific individual KPIs and KRIs through to full security metrics frameworks with dashboard reporting.

IT Security Governance Services
IT Security Policies And Standards

Technical Security Assessment

Securing online assets and supporting regulatory compliance by exposing the vulnerabilities on the network.

IT Security Governance Services
IT Security Policies And Standards

Third-Party And Supplier Assurance

Many organisations are not conducting third-party assurance services as efficiently as they could do. Let us show you how we can help.

Risk Management Framework
Auditing
Risk Acceptances And Waivers

About

IT Security.org are based in the UK, offering a range of IT security solutions ranging from compliance and risk management to testing, training and much more.

Follow Us

Contact Us

© Copyright ITSecurity.Org Ltd 2015-2019 All Rights Reserved. Company Registration Number:11208508. Registered office address: 27 Old Gloucester Street, Holborn, London, United Kingdom, WC1N 3AX. VAT Reg.299747227