Image from Shutterstock.com Privacy & Security Manager tricked into downloading POS malware by phoney IT staffer Howard Solomon @HowardITWC Published: September 12th, 2016Usually we don’t report breaches of foreign organizations unless there’s a Canadian angle, but we want to draw attention of infosec pros to a news story about how a Texas branch of a taco restaurant chain was scammed through a nasty spear phishing attack detected last week.According to a television news report, the Abilene police fraud squad says a hacker spoofed an email from an IT employee to the store’s manager, who was asked to download a program on a computer connected to the restaurant’s point of sale systems. The program was malware that infected the POS, enabling the thief to get credit card information between July and Sept. 1.More than 2,000 people may have been victims. The credit card numbers were quickly sold online to criminals who used them to make purchases all across Texas.Several things from this incident:–it’s yet again another example of why awareness training is so important to all staff members, including managers.That training has to emphasize that email should be treated with suspicion; Related Articles Awareness training and governance needed to foil executive fraud scamsDuring a panel discussion on awareness training at the recent SC Congress security conference in Toronto two weeks ago an... June 13th, 2016 Howard Solomon @HowardITWC Best spending value is on security awareness, says Microsoft officialFour basic actions will go a long way to improving any organization's security posture, a Microsoft Canada official has told... April 5th, 2016 Howard Solomon @HowardITWC –the target was an outlet of a franchised chain — in other words, a small business. Retail small business be warned: You are targets, too;–the news story doesn’t make it clear if the chain’s head office provides IT support, or if that is the responsibility of each outlet owner. I assume a franchised chain mandates franchisees use certain software, but it may allow each outlet to buy their own compatible hardware (such as POS terminals) as long as they meet certain standards. If so IT support can be a mixture of central and local providers. In such cases franchise head offices have to educate franchisees on secure procedures;–the issue isn’t whether credit card information is easier to get at in the U.S. than Canada. The issue is if someone can be tricked into downloading POS malware they can be tricked into downloading other kinds of malware;–a pat on the back to the local police force for publicly divulging how the breach was committed. We need more of this from victim organizations so word can spread on what to look out for. Related Download Sponsor: CanadianCIO Cybersecurity Conversations with your Board – A Survival Guide A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA Download Now Privacy & Security data breach, security strategies
