Restaurant Chain: Malware Infected PoS DevicesUnidentified Strain Targets Customer Payment Card Data
An unidentified strain of malware appears to have infected point-of-sale machines used at certain New York restaurants owned by the chain Catch. The malware exposed customer payment card data to hackers, the company says.
The breaches happened between March and October at three New York restaurants owned by Catch Hospitality Group. The company believes that customer data was exposed at Catch NYC and Catch Roof between March 19 and Oct. 17, and another breach occurred at Catch Steak between Sept. 17 and Oct. 17.
Catch Hospitality Group also owns restaurants in other parts of the U.S., as well as Mexico, but the malware does not appear to have affected data in those locations, the company says.
It's not clear how much customer data was taken or if any of that information has been posted for sales on underground or dark net sites yet. Catch says it notified law enforcement about the incident and is working with a forensic cybersecurity firm to purge all of its point-of-sale machines of the malware and to determine the extent of the breach.
"During the investigation, we removed the malware and implemented enhanced security measures, and we continue to work with cybersecurity experts to evaluate additional ways to enhance the security of payment card data," the company says.
Catch is the latest hospitality company to discover that customer payment card data had been compromised due to malware planted on point-of-sale devices. In August, for instance, fast-food chain Krystal announced it was investigating a "security incident" involving payment cards that affected as many as 228 of its restaurants across southeastern U.S. states (see: Fast-Food Chain Krystal Investigates Card 'Security Incident').
The hospitality industry continues to struggle with point-of-sale malware, also known as scrapers, which attempts to capture unencrypted card details while those are briefly held in a device's RAM.
In other cases, cybercriminals can capitalize on vulnerabilities in an organization's infrastructure, then try to move laterally to get access to payment processing systems.
In the case of Catch, the malware appears to have been planted on the devices, the company says.
The victimized restaurants used two types of point-of-sale machines for customers. One is brought to the table by the waitstaff and allows customers to pay the bill, according to the company statement. These devices use point-to-point encryption and were not infected by the malware, the company notes.
A different point-of-sale machine, however, is used at the bar area when customers order drinks or food from the kitchen. These devices were infected with the malware and exposed customer data, including the card number and expiration date, to the attackers, the company says.
"The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) [to read] from a payment card as it was being routed through these PoS devices," the company says. "There is no indication that other customer information was accessed."
In most cases, these types of malware attacks are effective because many organizations fail to check their point-of-sale machines for vulnerabilities, so it can take months before a breach is noticed, security experts says.
"Most POS attacks are only investigated after a customer identifies a problem with their transaction and can trace it back to the location where they last used their payment card, which means that there are many systems out there that do not get checked regularly for POS malware," says Will LaSala, director security solutions and a security evangelist at security firm OneSpan.
Security researchers have found that attackers are developing more sophisticated tools to avoid detection. For example, in March, threat intelligence firm Flashpoint and Cisco's Talos intelligence unit described two types of new point-of-sale malware samples, GlitchPOS and DMSniff, which are both described as RAM scrapers (see: Fresh POS Malware Strikes Small and Midsize Companies).
In another case, FireEye researchers found in October that the hacking group known as FIN7, which has targeted these types of devices for years, is using a new tool called Bootswrite - a "dropper" that only runs in memory and targets point-of-sale devices. Bootswrite's job is signed with a legitimate digital signature and is designed to decrypt embedded payloads (see: FIN7 Gang Returns With New Malicious Tools: Researchers).