[BreachExchange] Some Ontario beer chain outlets forced to use cash-only after cyber attack

Destry Winant destry at riskbasedsecurity.com
Fri Mar 27 10:25:30 EDT 2020


https://www.itworldcanada.com/article/some-ontario-beer-chain-outlets-forced-to-use-cash-only-after-cyber-attack/429003

Some of Ontario’s 450 industry-owned retail beer outlets known as The
Beer Store have been forced to accept only cash for sales after a
cyber attack.

On Thursday morning, the company put out the following tweet:
“Overnight, we were subjected to a cyber attack and are following
internal response protocols. Some of our locations are operating with
cash only.”

The statement doesn’t make it clear if the attack was successful. Nor
is it clear if the chain’s point of sale system (POS) or website was
attacked. The site offers shoppers the ability to order and pay cases
of beer to either be picked up at a store or delivered to a home.

A Beer Store spokesperson couldn’t be reached for comment at press time.

While POS attacks on retailers have been frequent for years, hackers
are now infiltrating web pages and e-commerce transaction providers to
insert code and skim off payment card numbers. Broadly speaking, these
are called Magecart attacks after the gang that is thought to have
originated the strategy. One of the most recent victims was the
kitchen container manufacturer Tupperware.

It was discovered March 20th by security vendor Malwarebytes and may
have started March 9th. The official tupperware[.]com site, which
averages close to 1 million monthly visits, as well as a few of its
localized versions, were compromised by hiding malicious code within
an image file that activates a fraudulent payment form during the
checkout process, researchers said.

For the technically-minded, the scam works by having code launch a
malicious iframe on top of the legitimate payment page. When a
purchaser first enters data into the rogue iframe, they are
immediately shown an error, disguised as a session time-out. This
allows the threat actors to reload the page with the legitimate
payment form. Victims enter their information a second time, but by
then, the data theft has already happened.

There was quite a lot of work done on the Tupperware scam, notes
Malwarebytes. The fraudsters even copied the session time-out message
from CyberSource, the Visa-owned payment platform used by Tupperware.
If there was a real timeout, CyberSource would have cancelled the
payment form. Malwarebytes has alerted Visa about the problem.

There are several ways an e-commerce page can be compromised by the
addition of malicious code, but the most common is the compromise of
the password of the administrator(s) of the web pages. This is done
either by a brute force attack or by tricking an administrator through
a phishing attack to giving up a password. This attack can be defeated
by having web site administrators use multi-factor authentication for
logins.

David Masson, director of enterprise security for security vendor
Darktrace suggested there’s no coincidence that at a time people are
shopping more online because of the COVID-19 pandemic nation-states
and cybercriminals are taking advantage. “These adversaries thrive in
moments of uncertainty and confusion when people are starved for
information and at home glued to their computers,” he said in a
statement sent to the publication. “The attack on The Beer Store is
just the latest example of a cyber attack taking advantage of the
current situation – it is certainly not the only, nor the last target.
Companies are focused on restructuring workflows and maintaining
revenue streams, while IT teams are building out remote work
capabilities. If a company sustains a cyber attack that causes even
more disruption at this time, it is likely that the business will
struggle to recover. ”


More information about the BreachExchange mailing list