Site icon IT World Canada

Manager tricked into downloading POS malware by phoney IT staffer

Data Breach Graphic

Image from Shutterstock.com

Usually we don’t report breaches of foreign organizations unless there’s a Canadian angle, but we want to draw attention of infosec pros to a news story about how a Texas branch of a taco restaurant chain was scammed through a nasty spear phishing attack detected last week.

According to a television news report, the Abilene police fraud squad says a hacker spoofed an email from an IT employee to the store’s manager, who was asked to download a program on a computer connected to the restaurant’s point of sale systems. The program was malware that infected the POS, enabling the thief to get credit card information between July and Sept. 1.

More than 2,000 people may have been victims. The credit card numbers were quickly sold online to criminals who used them to make purchases all across Texas.

Several things from this incident:

–it’s yet again another example of why awareness training is so important to all staff members, including managers.That training has to emphasize that email should be treated with suspicion;

–the target was an outlet of a franchised chain — in other words, a small business. Retail small business be warned: You are targets, too;

–the news story doesn’t make it clear if the chain’s head office provides IT support, or if that is the responsibility of each outlet owner. I assume a franchised chain mandates franchisees use certain software, but it may allow each outlet to buy their own compatible hardware (such as POS terminals) as long as they meet certain standards. If so  IT support can be a mixture of central and local providers. In such cases franchise head offices have to educate franchisees on secure procedures;

–the issue isn’t whether credit card information is easier to get at in the U.S. than Canada. The issue is if someone can be tricked into downloading POS malware they can be tricked into downloading other kinds of malware;

–a pat on the back to the local police force for publicly divulging how the breach was committed. We need more of this from victim organizations so word can spread on what to look out for.

Exit mobile version