The latest victim of a credit card/point-of-sale technology breach is Select Restaurants, the owner of several special-occasion eateries across the US.
According to its website (on which Google has placed a “this site may be hacked” warning label), Select’s stable of food joints includes Boston’s Top of the Hub; Parker’s Lighthouse in Long Beach, Calif.; the Rusty Scupper in Baltimore, Md.; Parkers Blue Ash Tavern in Cincinnati; Parkers’ Restaurant & Bar in Downers Grove, Ill.; Winberie’s Restaurant & Bar with locations in Oak Park, Ill. and Princeton and Summit, New Jersey; and Black Powder Tavern in Valley Forge, Pa.
According to Brian Krebs, the likely vector for the hack is Select’s PoS vendor, which is called 24×7 Hospitality Technology. Having obtained a copy of a letter that 24×7 Hospitality CEO Todd Baker sent to Select, Krebs reported that the company said that hackers had access to all of Select’s PoS systems from late October 2016 to mid-January 2017.
Indeed, the letter confirms that hackers had access to all of 24×7 customers’ payment systems. The systems, the letter said, were hacked by a “sophisticated network intrusion through a remote access application.”
“PoS malware can strike in a number of ways,” said John Christly, Global CISO, Netsurion, a provider of managed security services for multi-location businesses, via email. “Simple phishing emails can prompt internal personnel to accidentally open malicious links and attachments, resulting in malware on the network and connected devices. It can also involve hackers spreading malicious code by breaching the remote-access services designed to maintain the payment processing systems. These remote-access services can be poorly configured with guessable passwords, enabling the hackers to break in and distribute the malware to hundreds or thousands of PoS machines.”
24×7 said the attackers subsequently executed the PoSeidon malware variant, “which is designed to siphon card data when cashiers swipe credit cards at an infected cash register,” Krebs noted. He added, “Given how much risk and responsibility for protecting against these types of hacking incidents is spread so thinly across the entire industry, it’s little wonder that organized crime gangs have been picking off POS providers for Tier 3 and Tier 4 merchants with PoSeidon en masse in recent years.”
Select has yet to comment on the situation, and so far, nothing is known about the potential effect on restaurant patrons, including the number of compromised cards.
Christly noted that in today’s threat landscape, a typical firewall can no longer be set up once and run without consistent monitoring, tweaking and ensuring the data coming from it was correlated with other systems.
“Some of these breaches may look like normal web traffic coming out of the firewall, and other attacks can even seem like legitimate DNS traffic, which may pass right by the typical unmanaged firewall,” he explained. “It takes a different approach to stop some of these advanced attacks, and many products and service providers simply do not have the ability to stop them before they do real damage.”
Restaurants looking to protect themselves at the highest level should implement the following, he added: File integrity monitoring (to tell you when files have changed that weren’t supposed to change); unified threat management appliances (used to integrate security features such as firewall, gateway antivirus and intrusion detection); security information and event management (used to centrally collect, store and analyze log data and other data from various systems to provide a single point of view from which to be alerted to potential issues); and next-generation endpoint security solutions (used to stop attacks on the endpoint computers and servers before they can wreak havoc on other systems).
UPDATE - A reference to Buffalo Wild Wings locations being impacted after the company contacted Infosecurity claiming that it does not use POS, and uses NCR technology instead.