Restaurant Ordering Platforms Targeted By Hackers

Secure your business with CyberHoot Today!!!

Sign Up Now

Customers from over 300 restaurants’ had payment card details stolen in web-skimming campaigns targeting three online ordering platforms. Web-skimmers, or Magecart malware, are typically JavaScript code that collects credit card data when online shoppers enter it on the checkout page.

The hack was discovered by Recorded Future’s threat detection tool, which identified two Magecart campaigns injecting malicious code into the online ordering portals of MenuDrive, Harbortouch, and InTouchPOS. As a result, 50,000 payment cards were stolen and are being offered for sale on various Dark Web marketplaces.

The Hacking Campaign

On these platforms, the web skimmer was injected into the restaurant’s web pages and its assigned subdomain on the online payment service’s platform.

MenuDrive

The malware deployed for MenuDrive used two scripts, one for snatching the payment card data and another for collecting the cardholder’s name, email address, and phone number. This was done by attaching to the ‘onmousedown’ event and “responding to clicks of multiple buttons during the account creation and checkout process.”

Harbortouch

On Harbortouch, the injected skimmer used a single script to steal all Personally Identifiable Information (PII) and payment card data.

InTouchPOS

The campaign targeting InTouchPOS started on November 12, 2021, but most of the skimmer injections on web pages happened much later, in January 2022. 

The skimmer and the artifacts that characterize it (variable naming, structure, obfuscation, and encryption schemes) link it to older and still ongoing campaigns, Recorded Future says in a report. In this case, the skimmer doesn’t steal the details from the site but instead overlays a fake payment form on valid targets that are ready for the checkout process using a credit card.

Unfortunately, these attacks are still ongoing, and the number of restaurant customers affected is likely to increase. It’s not an easy fix for these companies, but it is certainly something they’re working on at this time. 

What Should You Do?

If you’re a restaurant that is using one of these systems, it would be recommended to try and find an alternative immediately to reduce the chance of your business becoming a victim of this attack. Until they patch and fix their systems, it’s still vulnerable to malicious actors. Until that point, these are the actions your company can take to reduce the likelihood of becoming a victim in a hacking campaign. 

When selecting a new vendor for your POS payment system, ensure they are conducting the following security measures:

1. They are training their developers on the OWASP Top 10 coding vulnerabilities to avoid.
2. They are performing an annual web application penetration test with human white-hat hackers.
3. They are performing Static and Dynamic Code assessments with automated tools and remediating all critical findings.
4. They are PCI Compliant appropriate to their merchant level (1-4).
5. They are following all of the CyberHoot minimum essential security best practices listed below.

CyberHoot’s Minimum Essential Cybersecurity Recommendations

The following recommendations will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.

1. Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
2. Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
3. Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
4. Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, and deploy DNS protection, antivirus, and anti-malware on all your endpoints.
5. In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections) or prohibiting their use entirely.
6. If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
7. Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.

Each of these recommendations, except cyber-insurance, is built into CyberHoot’s product and virtual Chief Information Security Officer services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.

Sources:

The Hacker News

Bleeping Computer

Recorded Future Report

Additional Readings:

How Secure Are Payment Apps?