Panera and Saks grab the headlines. But amid data leaks the lures for the bad guys go far beyond the credit card number. Names, addresses and emails give ammunition for phishing ploys that can compromise firms as harried, multi-tasking employees provide entry points, as Cofense CTO Aaron Higbee tells PYMNTS’ Karen Webster.
Loaves. And phishes.
This is no nod to miracles.
In news reported earlier this week, Panera Bread leaked data from its website tied to thousands of customer records, ranging from individual names to addresses and e-mails and even partial credit card data.
Not the type of news that’s easily digested.
Panera has said the breach hit fewer than 10,000 customers. Security researchers say the breach is far more pervasive, with estimates stating that as many as 37 million accounts may have been affected.
Of course, the Panera news comes pretty much in tandem with the headlines that consumer credit card data was siphoned off by hackers from the Saks Fifth Avenue and Lord & Taylor locations.
The group claiming responsibility for the retailer attacks, known as the JokerStash hacking syndicate, says it has stolen five million cards over the past year.
Differences of degree, a wide one, but not of kind. The fact remains that records leaked mean that scammers now have fresh data with which to ply their trade. Panera may be a gateway of sorts to new phishing attempts, cobbled together from far-flung data sources.
More on that in a moment. Are we back to the days of Target-sized breaches, where POS is shorthand not just for point of sale but point of steal?
In an interview with PYMNTS’ Karen Webster, Aaron Higbee, CTO and co-founder of Cofense (formerly PhishMe), said that in reference to the Saks breach, “this one was a bit surprising, obviously because we’re in the phishing defense business – and the first time we see a big headline like this we start trying to look at our own intelligence sources … but we don’t have any examples as their previous phishing details, so I say it’s still kind of to be determined” how the hackers gained access to data.
And, he added, if the attackers had been in the system, so to speak, for a long time (as the syndicate claims), the true point of origin may never be uncovered.
But consider a few points, along with a caveat: Though not all attacks gain entry to victimized enterprises through phishing attempts, as many as 90 percent of breaches do indeed start with phishing.
And phishing is a sure way to lure the unwitting in an age where multi-tasking – across devices, email accounts, instant messaging and documents flying fast and furious – makes an errant click-and-download a potentially disastrous event.
With a nod to the Panera event, Higbee stated, “if you look at the type of data that was exposed, it was customer names, email addresses, phone numbers and, in some cases, mailing addresses.
“On the surface, that seems more like a nuisance, but in the right hands it wouldn’t take too much programming knowledge to put together [phishing scams], because that would appeal to someone who uses the connection or reward system – especially if you have their name and phone number.”
Here, then, is a new(ish) tack by the bad guys. Credit card data has its lures, but is hardly evergreen. Hackers, as Webster noted, use stolen cards in a hurry, with an eye on racking up charges before the cards are shut down. It’s better business, then, for the bad actors to cobble together identities or lure prey through relatively sophisticated phishing attacks.
Team efforts are in play in this arena, said Higbee, when it comes to phishing.
“The way that they’re organized, there are certain teams that just merge data from different compromises.”
What’s new on the bad news radar?
Well, for starters, said Higbee, it’s tax season.
“People are already stressed out thinking about filing their taxes, and they don’t want to make mistakes,” he noted. “So every year like clockwork, you can bet on phishing-related scams. And one of them that could be more nefarious is people submitting fraudulent returns on your behalf with banking credentials, so that they get refunds sent to that account.” The personal details, he said, could have been gleaned from previous breaches, including names and Social Security numbers. The scams can even include fake W-2s.
Phishing – the kind that leverages employees as an entry point to an enterprise’s data trove – may be more widespread than many expect, he said. Cofense has found in its own analyses of phishing that 10 percent of the missives in a worker’s inbox are malicious in nature.
“And so what that means,” he told Webster, “is that phishing e-mails are going through two layers of technology and only are discovered because employees are reporting it.” The links that are commonly cause for concern – you know, those links that you should not open – are becoming a bit, well, well-hidden.
They may not be in plain sight within the body of an email, but may instead be a link, for example, embedded in a PDF.
And then there’s the “urgent” email from a company higher-up that seems legit, urging a CFO or another executive to wire funds to an account.
To combat those schemes, said Higbee, every firm needs to have what he called a rigorous control process, delineating who can send wires when a given executive or executives are out and who can authorize payments.
“A lot of companies that are falling victim to [phishing scams] are missing that critical financial control and audit oversight procedure.”
Suspicion abounds, which is healthy and yet also causes friction. Higbee stated that in the age of the cloud, many firms are outsourcing business functions and programs, with tools operating by dint of emails complete with … you guessed it, links. By way of example, he noted, even with Cofense, HR has seen employees “reporting” legitimate new benefits program rollouts.
“It’s a little bit inconvenient,” he acknowledged, “but I’d rather have staff being suspicious and reporting than getting compromised.”