Amidst the uproar over the massive government worker data breach, smaller intrusions continue to take place, such as a recent cyberattack against a restaurant chain's credit card system that prompted the FBI to issue a warning.

The announcement warned that criminal hackers are using new malicious software named after the TV character Punky Brewster, but spelled “Punkey,” to steal personal financial data. Investigators have high confidence that Punkey recently infiltrated the network of an unidentified restaurant chain.

“Cybercriminals continue to deploy point-of-sale malware due to the number of targets connected to the Internet and large potential profits,” the FBI alert said. “In the past year, there has been an increase in restaurants, casinos, hotels and resorts targeted by POS malware. Cybercriminals infect victim networks to extract credit card information and quickly monetize it within cybercriminal forums.”

The new Punkey malware, uncovered by Chicago security firm Trustwave, scans and “scrapes” un-coded, plaintext credit card information in the RAM of payment-processing devices such as card readers and POS terminals. The malware inserts itself into computers, performs system scans, encrypts hacked information, and then connects to remote servers used to store and retrieve stolen credit card data. Cybercriminals then post appropriated data for sale online.

Researchers at Trustwave and the U.S. Secret Service said Punkey operates similar to another POS malware called NewPOSThings. Additional POS malware uncovered in recent months is PoSeidon, which is known to have infected restaurant, bar and hotel payment terminals in the United States.

Last week restaurant/grocery store chain Eataly reported a malware-related POS breach at its New York location, one of 27 reported internationally. The chain announced that based upon an extensive forensic investigation, it appears that unauthorized individuals installed malicious software designed to capture payment card information (including name, payment card account number, card expiration date and CVV security code) on the systems used to process payment card transactions between Jan. 16, 2015 and April 2, 2015.

“Using malware to breach POS systems is not surprising in the least,” Kevin Watson, CEO at Houston-based Netsurion, a security company that protects small business' payment and data, said. “It costs nothing for data thieves to attempt to hack a business. What SMBs need to understand is that every business is a worthwhile and valuable target.”

Watson added, “SMBs have no excuse for not using a more comprehensive solution to bolster security and decrease their chances of becoming the next headline.”

According to a National Small Business Association survey, more than half of 675 small businesses reported being victims of hackers' attacks last year, up from 44% in 2013. And of those companies that reported being hacked last year, 68% said they had been victimized at least twice. In 2013, cyber-attacks cost small businesses on average $8,699 per attack. That number skyrocketed to $20,752 per attack in 2014. For those firms whose business banking accounts were hacked, the average losses were $19,948 in 2014, up significantly from $6,927 in 2013.

Watson said common mistakes can lead to small business credit card breaches, which include failure to protect incoming Internet traffic, adequately guard on-premise Wi-Fi, use two-factor authentication, provide control over outbound Internet traffic, update anti-malware software and patch all operating systems as security enhancements.

“Almost every major breach in the last 24 months failed to incorporate at least one of these measures,” Watson said.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).