Update 4/25: The InterContinental Hotels Group has recently released data stating that now point-of-sale servers at more than 1,000 of its properties were compromised with the malware used to steal customer debit and credit card data. The article has been updated to reflect these new numbers.
The InterContinental Hotels Group has found themselves dealing with an unwanted guest, as the group has acknowledged that over 1000 of their hotels were infected with malware. That malware, as it turns out, wasn’t necessarily after the hotel group’s data, instead turning to the restaurants and bars located inside of the resorts to capture customer credit card information.
So how exactly did this malware swipe customer data ranging all the way from August to December of 2016? In their statement, the group noted they found malicious software installed on point-of-sale servers at some of the restaurants and bars of over 1000 IHG-managed properties, some of which include notable spots in San Francisco and Los Angeles such as Top of the Mark and Mari Los Angeles.
This means that either the malware could have been installed over the network or, more likely, by inserting a USB stick containing the malware. Remember – many of these payment terminals are unguarded and still powered on at night, not to mention USB ports are easily accessible.
Then, by simply using an autorun script on a prepared USB-stick with the malware, cybercriminals could easily upload and install the malware in less than 15 seconds.
Regardless the methodology, this malware was unfortunately able to steal a plethora of customer data stored on the magnetic stripe on the backs of credit and debit cards, including the cardholder name, card number, expiration date, and internal verification code.
And with the exact amount of stolen data still unknown, this massive breach only adds to the large list of point-of-sale based credit card breaches, which have been continuous over the past two years.
So, what can big organizations similar to InterContinental learn from this attack? First and foremost, USB access should be restricted, which can be done by shielding ports, or whitelisting applications. Keep in mind that these terminals are running a thin-version of an operating system (mostly Windows embedded) and do not have a lot of memory.
Additionally, it’s clear that organizations are missing malware samples– similar to this breach– because they are disjoined. They are not only missing the targeted malware, but also missing the outbound communications / exfiltration of data as well. The key is to deploy and make use of newer technologies that baseline the environment and are made aware when new files arrive. Once you have a baseline of the files you should work towards integrating endpoint technology with the network to reveal outbound communications that might otherwise slip through the cracks.
For example, McAfee Endpoint Protection and our DLP solution would recognize the malware sample that is attempting to access sensitive data. They would then reveal the outbound communications, and inform the network (Firewall, IPS, Web Proxy). The end result is the takedown of outbound communications, removal of the malware, and gained visibility into the data that was targeted. Furthermore, that data should be shared across all of the locations from the first hotel that was attacked.
The moral of the story here is that integration often times yields better visibility, more knowledge, sharing, and proactive mitigation of attacks.
By keeping your security structure integrated, you give your organization a better chance of detecting threats before they do real damage – like steal 4 months’ worth of customer credit card data.
To learn more about the InterContinental breach and others like it, follow us on Twitter @McAfee_Business