Details have emerged of three new breaches affecting Big Fish Games' website, Jefferson National Park Association's gift shop POS systems and a spear-phishing attack targeting employees of State of Franklin Healthcare Associates. NNT provide more details of what and how happened, and how other organizations can protect themselves.
Big Fish Games have reported this week that they self-discovered an incident on January 12, 2015, which involved the theft of payment card and Personal Identifiable Information from their website. Customers affected made purchases between December 24, 2014, and January 8, 2015.
Their letter to affected customers goes on to state that the malware has been removed and they have taken steps to prevent a reinstallation.
It isn’t clear at this stage how the malware infection was instigated or whether there is any other link to previous eCommerce/Web retailer sites such as Book2Park.com, Park ‘N Fly, and IDParts.com reported previously.
Jefferson National Parks Association issued a press release last week reporting that malware had been discovered on POS systems at the Levee Mercantile and Museum Store gift shops.
The malware has been in place since August 2014 and the source was eventually identified as JNPA in December. Correlation of fraudulent transactions is used by payment card brands and providers to identify a common factor to all. This allows the breach source to be pinpointed and action was taken, but it always takes time for victims to notify their bank of suspicious transactions, by which time the card data theft has already been running for months.
2014 saw numerous high-profile POS malware attacks resulting in card data theft, including the recently reported Marriott Hotel breach, Chick-Fil-A, and Staples, leading to renewed focus on PCI DSS requirements for system hardening and File Integrity Monitoring
Finally, Employees at State of Franklin Healthcare Associates have been targeted in a spear phishing scam. The cyber attack intent was to elicit social security numbers and personal identifiable information. In turn, this information would then be used to file fake tax returns and claim refunds. Why this particular organization’s employees were targeted is unclear but it is well-known that the more targeted and personalized a phishing attack is (at which point it becomes classed as Spear Phishing), the more likely it is to bear fruit. For our notes on phishing attack protection see our article ‘Batten down the hatches! Looking at ways to enhance protection against ransomware, APTs and other phishing malware’