Tag Archives: auto dealers

3 Steps To Increase Cyber Security At Your Dealership

Posted on by
Reply

Car dealerships and automotive groups are juicy targets for cybercriminals with their wealth of identity and financial information. Cyber security in many dealerships is lax, and many don’t even have full time IT teams, with even fewer having cybersecurity risk management skills in house. While this is changing, for the better, as dealerships become more data-centric and more automated, many are moving to become more proactive against cybersecurity threats. 

In addition to organized criminals seeking to capture and sell personal information,  global threats stemming from phishing, malware, ransomware and social engineering also plague dealerships. Phishing and ransomware are among the leading causes of financial losses tied to cybersecurity in the dealership space. Even as the federal regulators refine their focus on dealerships as financial institutions, more and more attackers have shifted some of their attention in the automotive sales direction.

Additionally, a short walk through social media doesn’t require much effort to identify dealerships as a common target for consumer anger, frustration and threats. Some of the anger shown toward car dealerships has proven to turn into physical security concerns, while it is almost assured that some of the industry’s network breaches and data breaches can also be tied back to this form of “hacktivism”. In fact, spend some time on Twitter or chat rooms, and you can find conversations and a variety of information of hacking dealership wireless networks and WiFi cameras. These types of cybersecurity incidents are proving to be more and more popular. 

With all of this cybersecurity attention to dealerships, are there any quick wins to be had? We asked our MSI team and the folks we work with at the SecureDrive Alliance that very question. Here’s the best 3 tips they could put forth:

1) Perform a yearly cybersecurity risk assessment – this should be a comprehensive view of your network architecture, security posture, defenses, detection tools, incident response plans and disaster recovery/business continuity plan capabilities. It should include a complete inventory of all PII and threats that your dealership faces. Usually this is combined with penetration testing and vulnerability assessment of your information systems to measure network security and computer security, as well as address issues with applications and social engineering. 

2) Ensure that all customer wireless networks and physical security systems are logically and physically segmented from operations networks – all networks should be hardened in accordance with information security best practices and separated from the networks used for normal operations, especially finance and other PII related processes. Network traffic from the customer wireless networks should only be allowed to traverse the firewall to the Internet, and may even have its own Internet connection such as a cable modem or the like. Cameras and physical security systems should be hardened against attacks and all common credentials and default passwords should be changed. Software updates for all systems should be applied on a regular basis.

3) Train your staff to recognize phishing, eliminate password re-use among systems and applications and reportcybersecurity attacks to the proper team members – your staff is your single best means of detecting cyber threats. The more you train them to identify and resist dangerous behaviors, the stronger your cybersecurity maturity will be. Training staff members to recognize, handle, report and resist cyber risks is one of the strongest value propositions in information security today. The more your team members know about your dealership’s security protocols, service providers and threats, the more effective they can be at protecting the company and themselves. Buidling a training resource center, and setting up a single point of contact for reporting issues, along with sending out email blasts about the latest threats are all great ways to keep your team on top of the issues.

There you have it, three quick and easy wins to help your dealership do the due diligence of keeping things cyber secure. These three basic steps will go a long way to protecting the business, meeting the requirements of your regulatory authority and reduce the chances of substantial harm from cyber attacks. As always, remaining vigilant and attentive can turn the tide. 

If you need any assistance with cybersecurity, risk management, penetration testing or training, MicroSolved and the SecureDrive Alliance are here to help. No matter if you’re a small business or a large auto group, our risk management and information security processes based on the cybersecurity framework from the National Institute of Standards and Technology (NIST) will get you on the road to effective data security. Simply contact MSI via this web form, or the SecureDrive Alliance via our site, and we will be happy to have a no cost, no hassle discussion to see how we can assist you.  

Car Dealership Threat Scenario – Wireless Printer Hacking AP Fraud

Posted on by
Reply

Today, I wanted to talk about a threat scenario that we have modeled recently. In the scenario, the victim was a car dealership, and the target was to commit accounts payable fraud. The testing scenario is a penetration test against a large group of car dealerships, but our research shows the threat to be valid against any number of organizations. 

Here’s the basics of the scenario:

  • The team found a car dealership with an extensive wireless network. Though the network was encrypted and not available to the public, the team was able to compromise the wireless credentials using a wifi pineapple in a backpack, while pretending to shop for a new car.
  • The team used the credentials to return later, appearing to wait for a service visit and working from the customer lounge. (The coffee and snacks were great! )
  • The team logged into the wireless network and quickly identified many devices, workstations and such available. Rather than focus on the workstations or attempt an attack on the users – the team instead focused on the shared printers.
  • One printer was identified with the name “BackOffice”, and access to the print spool was easily obtained through known default passwords which hadn’t been changed on the device.
  • Our team made notes of attack their recon attack path, and left the dealership.
  • Once away from the dealership a couple of simple social engineering calls were made to the accounts payable folks, pretending to be a vendor that we had observed at work at the facility. Without any real information, the accounts payable team member explained when we could expect payment, because accounts payable checks were processed every Thursday morning. The social engineer thanked them and completed the call.
  • On Thursday morning, the team showed up at the dealership again, pretending to wait for a service appointment. While in the lounge, they accessed the compromised network and printer. This time, taking deeper control of the printer’s file buffer.
  • The team waited for the accounts payable staff to submit their weekly check printing to the printer. Indeed, around 10:45, the printer file showed up in the printer spool, where our penetration testing team intercepted it. 
  • The team quickly edited the file, changing one of the checks in amount (increasing the amount by several thousand dollars) and the payee (making the check payable to a fictional company of our choosing). They also edited the mailing address to come to our office instead of the original vendor. (PS – we alerted the manager to this issue, so that the bill could be paid later — never harm a client while doing testing!!!)
  • The file was then re-sent to the printer and released. The whole process occurred in under 3 minutes, so the AP person never even noticed the issue.
  • One expected control was that perhaps the AP staff would manually reconcile the checks against their expected checks, but this control was not in place and the fake check was mailed to us (we returned it, of course!).

This is a pretty simple attack, against a very commonly exploitable platform. Poor wireless network security and default installs of printer systems are common issues, and often not given much thought in most dealerships. Even when organizations have firewalls and ongoing vulnerability scanning, desktop controls, Anti-Virus, etc. – this type of attack is likely to work. Most organizations ignore their printers – and this is an example of how that can bite you.

These types of threat scenarios are great examples of our services and the threat modeling, fraud testing and penetration testing available. If you’d like to learn more about these kinds of activities, or discuss how to have them performed for your organization – get in touch. You can contact us via web form or give us a call at (614) 351-1237. You can also learn more about our role and services specific to car dealerships here.

Thanks for reading and let me know if you have any questions – @lbhuston on Twitter.

Business Email Compromise Attacks on Dealerships

Posted on by
Reply

Business email compromise attacks are a significant threat to car dealerships.

Among the car dealerships we work with, two large threats represent the most significant risks at the moment. The first is ransomware, which we have covered extensively on this blog. The second, business email compromise, we’ve also talked a lot about, but mostly in terms of traditional financial services firms. However, business email compromise is one of the most common cybersecurity attacks today and, according to the FBI’s Internet Crime Complaint Center, costs American firms $1.7 billion in 2019, while worldwide losses might well have reached over $5 billion!

How big is the risk of a business email compromise in a dealership?

Business email compromise attacks occur every single day across a variety of industries. Business email compromises typically occur via two specific attack vectors: phishing and stolen credential reuse. Most of our dealerships have significant controls around phishing, with those detection systems reporting tens to hundreds of attempts per day. While the phishing tools are good enough to stop the vast majority of common phishing attacks, there are some that make it through the network and computer-based defenses. When this happens, it is up to the humans in the dealership to be aware enough of the issue, be paying enough attention and have good enough training to prevent the phishing message from becoming a compromise.

In the second attack vector for business email compromise, attackers reuse stolen or leaked credentials (logins and passwords) that have become available on the Internet. There are several common forums and pastebin-type sites where these credentials are dumped, traded or sold (if you want to learn about a common tool to help monitor for these issues, check out ClawBack) and attackers monitor these sites with various tools. Once they see a leaked set of credentials, they try and use it on the web mail logins of their targets. If the user has the same login and password across many sites (many do), then the attacker may compromise the web mail account and be logged into the corporate email system as the user.

What happens in a typical business email compromise in a dealership?

Once the attacker has access to the email system, they will often spend a little time reading the emails and browsing through any files that the email server maintains. If the system includes chat capabilities, they often read those as well. They do this to learn about the user, their position and what the attacker may be able to use the compromised account to do. If any valuable information is in the email archive or on exposed files, they often steal that data right away for resale.

It’s not uncommon for attackers to set a forwarding address for compromised mail accounts, redirecting copies of emails to themselves so that they can monitor the email activity of the user without logging back into the server – thus reducing their chances of being discovered. If the compromised account doesn’t seem useful to the attacker, they will often use it to send phishing emails to other people in the address book, including other internal users, business partners, customers and the like. These phishing attacks are often highly successful, given that they come from a trusted contact and the attacker can tailor the language and tone of the email to match usual conversations.

Once the attacker gets access to an account that they feel is capable of either gaining them network access (think executives who can make requests of subordinates) or allow them to move money (think about accounts payable, wire, ACH and other banking fraud), they will use the email account to send messages, forms (if available) or other requests to get what they want. Again, these attacks are often highly successful, because the attacker comes from a known account, can tailor the language and tone of the messages, and can use social engineering techniques to apply pressure to the victims in order to get them to do things they might not ordinarily do.

What can dealerships do to prevent business email compromises?

Dealerships can combat business email comprise attacks by ensuring that their phishing and authentication defenses are up to par. They can train their team members to be on guard for messages that apply pressure, declare urgency or ask for unusual activities. The dealership can implement training and protocols for voice validation checks for unusual requests and perform ongoing testing of these types of scenarios to educate and keep their staff on guard.

Dealerships can also be vigilant about their email systems, configuring them to apply controls, ensure that logging and other security measures are in place. They can implement multi-factor authentication. They can have ongoing assessments and penetration testing – including business email comprise-based scenarios.

Reducing the risk is doable, but it does require work, investment and continued vigilance. Attackers only have to be right once, while the security controls and your team have to be right every single time to prevent losses. With incidents ranging from tens of thousands of dollars to hundreds of thousands of dollars in losses – paying attention to business email compromises is critical for dealerships of all sizes.

To learn more about tools, techniques and testing to help your organization prevent, detect and respond to business email compromise attacks, get in touch with our team at SecureDrive Alliance for more information and a free risk discussion today.

Announcing the Launch of the SecureDrive Alliance

Posted on by
Reply

LMS Consulting and MicroSolved are proud to announce the launch of the SecureDrive Alliance. This team effort is specifically focused on the needs, regulatory requirements and threats facing automotive dealerships today.

SecureDrive Alliance

The alliance will be providing the following focused services to dealerships across the US:

  • Risk assessments
  • Vulnerability assessment and penetration testing
  • Application security
  • Phishing simulations
  • Risk management training

To learn more about the SecureDrive Alliance, the leaders of both companies have put together a quick MP3 discussing the reasons behind the launch and the capabilities that the alliance brings to bear. You can listen to the 9 minute MP3 here.

To put the team to work on securing your dealership, give a call to Justin LeBrun, or drop him an email.