Malicious attacks on payments systems come in a bewildering array of shapes and sizes, making it a nettlesome problem figuring out which types of attack require the most defensive resources. Yet, the stakes could be highest in the United States, where the average cost per breach, at $225, is one of the highest in the world, according to Corey Nachreiner, chief technology officer at WatchGuard Technologies Inc., a Seattle-based security firm.
Meanwhile, he warned, malware is growing more sophisticated and the average time to identify an attack stretches out for months. “The mean time to ID [an attack] really concerns me,” Nachreiner said on Tuesday during a security session at a conference of retail point-of-sale resellers in Nashville, Tenn. “It takes 190 days—that’s a crazy amount of time,” he added. “It’s a big, big problem.”
While much antivirus software relies on a technique that identifies the specific code, or “signature,” of malware, criminals are masking that code in ways that are increasingly effective. Now, some 46% of malicious attacks get past signature-based antivirus programs, Nachreiner warned at the conference, sponsored by the Retail Solutions Providers Association, a Charlotte, N.C.-based trade group.
With a darkening threat landscape, Nachreiner laid out what he called “the top six threats you need to worry about today.” The number-one malicious trend, he said, is so-called spear-phishing, which is a form of deceptive email targeted at specific company officials who have authority to send or release funds or who have access to key company information.
By now, these messages have become sophisticated enough that they are “a lot harder for a normal user to detect. It’s pretty scary stuff,” Nachreiner said. Increased training is one solution, he said.
The second-biggest trend involves so-called ransomworms, which match ransomware with other code called “network-spreading worms.” Nachreiner said the first such attack was identified only in May last year. The criminals behind these attacks are likely targeting “specific verticals,” Nachreiner said. “I’m actually surprised POS systems haven’t been hit,” he added. As with ordinary ransomware, the attacks mask data until the targeted entity honors a ransom demand.
The next four trends, in order, are: fileless malware, which evades detection by avoiding the placement of any file on the target’s system; crypto-hacking, in which criminals hijack systems to mine cryptocurrency (this trend is “blowing up,” Nachreiner warned); password leaks, caused by simple or obvious passwords that gain entry to critical data; and POS malware, which, Nachreiner said, is actively sold on underground sites.
Even chip card data isn’t safe, Nachreiner said. Cyberthieves, he warned, are now “looking at ways to steal EMV data, too. You have to worry about this.” Eventually, though, the thieves “have to make a fake card,” something EMV “makes a lot harder,” he said. Segmented systems, in which cyberthieves must pass through a series of antivirus routines to reach other parts of the network, can also be effective, he said.