Big Brown has been breached. United Parcel Service (UPS) on Wednesday announced that about 105,000 customer transactions at 51 of its UPS Store locations in 24 states could have been compromised between January and August.
UPS discovered the breach in response to a government bulletin warning of a broad-based malware intrusion that traditional anti-virus software programs weren’t catching. UPS hired an IT security firm to review its systems -- and systems at its franchisees -- and discovered the breach. UPS eliminated the malware on August 11 and has posted details about which stores were affected.
The list of stores includes between one and four locations in each of the following states: Arizona, California, Colorado, Connecticut, Florida, Georgia, Idaho, Illinois, Louisiana, Maryland, Nebraska, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, South Dakota, Tennessee, Texas, Virginia, and Washington.
"I understand this type of incident can be disruptive and cause frustration. I apologize for any anxiety this may have caused our customers," said Tim Davis, president, The UPS Store. "As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident.”
Dissecting the Malware
We caught up with Aviv Raff, CTO and chief researcher at advanced threat protection firm Seculert, to get his thoughts on the UPS breach. He told us this is another example -- just like the recent Community Health Systems breach that gave hackers access to 4.5 million patient records -- of how persistent attackers were able to successfully plant their attack tools.
“Enterprises are now coming to a conclusion that they are either already compromised, or will soon be,” Raff said. “It's not a matter of ‘if,’ it's a matter of ‘when.'”
Raff pointed out that UPS basically admitted that the attackers were in its systems, undetected, for four to eight months. That, he said, shows how necessary it is for enterprises to start using security tools that are able to detect attacks not just in real time but, more importantly, over time by analyzing historical and ongoing traffic logs.
We also turned to Tim Erlin, director of IT security and risk strategy at security firm Tripwire, to get his take on the latest breach. He told us the presence of malware on point-of-sale systems and infrastructure is a clear and present threat for any retail establishment.
“Given the ongoing disclosures in the news, there’s simply no excuse for not employing the tools and tactics available to ferret out this malicious software,” Erlin said. “It’s time that we, as an industry, force the attackers to change their tactics through a more effective defense.”
Ken Westin, a security analyst at Tripwire, told us this type of malware has been successfully used in some of the biggest retail credit card breaches the security industry has seen, like Target, Neiman Marcus, and PF Chang’s.
“This family of point-of-sale malware goes as far back as October 2013,” he said. “It relies on scraping unencrypted credit card data from the memory of infected devices, much like previously seen malware.”
Consistent Security Standards
Westin called the malware itself “sophisticated” but said the method of intrusion is not. Attackers use publicly available scanning tools to detect point-of-sale systems running remote desktop applications. Then, he said, they rely on application vulnerabilities or brute forcing to gain access to systems where they installing the malware.
Finally, Dwayne Melancon, chief technology officer at Tripwire, told us the situation at UPS illustrates the challenges of managing security in a distributed, lightly managed environment.
“It is crucial that organizations adopt a consistent security standard, one they regularly assess to ensure their point-of-sales systems have not been compromised,” Melancon said. “The general trend toward continuous monitoring and standardize configurations, along with security configuration management, is a positive step. The challenge is implementing these controls quickly enough to make a difference.”