Security Central: Hurricane Harvey Breeds Hackers, PoS Systems Fatally Flawed

This week’s Security Central takes a peek inside Hurricane Harvey’s cyber scams, explores the fatal flaws of POS systems, and takes a look at the new Defray ransomware.

Hurricane Harvey hammered Houston, TX and the surrounding areas last and this past week, resulting in unimaginable flooding, damage, loss, and of course, disaster-exploiting scams. When disaster strikes, you can bet cyber-lowlifes won't be far behind, just waiting for their chance to prey on the generosity of well-meaning folks.

People wishing to donate to charitable causes to support relief efforts have taken to Facebook and Twitter to donate money, leading some right into hackers' waiting snare. According to an article by Fortune, scammers have been using Hurricane Harvey-themed messages to trick people into opening phishing emails and clicking links on social media sites. Completing any of these actions gives hackers access to login information, infect machines with malware, or allow ransomware threats to be made.

On Monday, US-CERT, a cybersecurity arm of the U.S. Department of Homeland Security, issued a warning about the threat.

"[R]emain vigilant for malicious cyber activity seeking to capitalize on interest in Hurricane Harvey," the advisory read. "Emails requesting donations from duplicitous charitable organizations commonly appear after major natural disasters."

Sickening, isn't it? There are specific things to watch out for here - there are ways to be smart about this and be savvy moving forward. According to a post by KnowBe4's Stu Sjouwerman, here are some examples of things to watch out for:

  • Facebook pages dedicated to victim relief contain links to scam websites.
  • Tweets are going out with links to charitable websites soliciting donations, but in reality included spam links or links that lead to a malware infection.
  • Phishing emails dropping in a user's inbox asking for donations to #HurricaneHarvey Relief Fund.

What else can you do and warn your customers about? Plenty. 1.) Make sure your software up to date, as that is often a goldmine for hackers looking for outdated systems. 2.)Be careful what you click (duh). Don't trust the source? Don't click it. Seem a little, even just a teensy bit suspicious? Don't click it. Trust the source but it still seems a bit shady? Don't. Click. It. 3.) Be the organization you're giving money is legitimate. Here a rundown of some reputable charities assembled by Fortune.

Our second story takes a look at weak Point of Sale (POS) systems. According to Security Week, POS systems developed by SAP and other vendors have major holes and vulnerabilities that can be exploited by hackers. These flaws give attackers access to payment card data from the targeted organization’s network and the ability to change the price of items they want to purchase. Pretty neat trick, eh?

Researchers at ERPScan discovered that SAP’s POS product was plagued by several huge flaws, specifically the system’s server component, Xpress Server, was missing important authorization checks for critical functionality. This opens the door for an attacker to send malicious configuration files to Xpress Server and gain complete and total control of the entire PoS system - both frontend and backend.

Once this happens, a hacker can then have a field day. They can steal data from all the credit and debit cards used at the targeted store, and apply the discounts to specified items. An attacker can also tweak the data on a customers' printed receipt, including their full payment card number (not just the last 4 digits).

Gaurav Banga, founder and CEO of Balbix, states that enterprises struggle with managing risk from third-party unmanaged assets on their network that are vulnerable, such as PoS systems. "These devices are a part of critical business processes and have a significant breach impact," says Banga. "What is needed is complete visibility of third-party and unmanaged assets on the network along with automatic calculation of business impact to identify threats such as vulnerable PoS systems – before they get breached.”

Our final story examines a new ransomware strain that has appeared in the cyber Wild Wild West. It's called the Defray Ransomware, and it is targeting the healthcare, education, manufacturing and tech sectors in the US and UK using customized spear phishing emails. A reel pain in the rear, so to speak.

According to our pals at KnowBe4, Defray, which ironically means "to provide money to pay a portion of a cost or expense," is demanding a ransom amount of $5,000 in Bitcoin. Essentially, the ransomware is spear-phishing emails with malicious Microsoft Word document attachments, and the campaigns are just a few messages each. The attacks are extremely advanced and sophisticated, leading experts to believe that the group responsible is a highly-organized cybercrime gang.

"The ransom note follows a recent trend of fairly high ransom demands; in this case, $5000," said Proofpoint researchers in a blog post on Thursday of last week. "However, the actors do provide email addresses so that victims can potentially negotiate a smaller ransom or ask questions, and even go so far as to recommend BitMessage as an alternative for receiving more timely responses. At the same time, they also recommend that organizations maintain offline backups to prevent future infections."

The experts went on to say that the Defray Ransomware is somewhat unorthodox in its use in small, targeted attacks. Although the cyber world is beginning to see a trend of more frequent targeting in ransomware attacks, it still remains less common than large-scale "spray and pray" campaigns.

Stu Sjouwerman says it best: "As we have been saying, stepping end-users through new-school security awareness training combined with frequent simulated phishing attacks which can have Office attachments, is a must these days." We couldn't agree more.

The views expressed in this column do not necessarily reflect the views of Penton Media or The VAR Guy editorial staff.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.