It was reported on April 1st – appropriate that it was April Fool’s Day – by a number of media outlets that Hudson’s Bay Company, the Canada-based parent company of iconic luxury retailer Saks Fifth Avenue, as well as Lord & Taylor and Saks Off 5th, had been hacked. Reportedly, over 5 million credit and debit card numbers of customers of the retailers had been stolen, and supposedly were for sale on the Dark Web.
An infamous Russian-speaking – and probably Russia-based – hacking group known alternately as FIN7, JokerStash, Anunak, or Carabank had infiltrated Hudson Bay’s systems. The hackers means and point of attack have not yet been confirmed. Yet, the research firm that found 125,000 of the stolen credit and debit numbers for sale on the Dark Web, Gemini Advisory, believes that the attack started as a phishing attack on a Hudson Bay’s employee, which deposited malware that likely enabled the attackers to move throughout the retailer’s infrastructure, finally enabling them to deposit card-stealing malware on in-store point-of-sale (POS) systems and extracting consumer’s card numbers. Given that most of the sample of stolen credit and debit card numbers came during a nearly year-long period from May 2017 to March 2018, and were from shoppers in the New York Metro area, it appears that the hackers were on Hudson Bay’s network for some time, undetected.
The fact that this attack likely began as a phishing attack is not surprising. FIN7, JokerStash, Anunak, Carabank, or whatever name given the miscreants, have used phishing as the hook for their attacks in the past. Notorious for attacking the restaurant, hospitality and retail industries – and even going off script to attack the U.S. Security and Exchange Commission (SEC) in early 2017, the group’s typical tools, tactics and procedures (TTPs) – their modus operandi (MO) – is to use phishing and spear phishing campaigns to deliver malware, which typically ends up in a restaurant’s, hotel’s, or retailer’s in-store POS, to steal customer information, and credit and debit card numbers. They usually deploy fileless malware, which means that legacy anti-virus and anti-malware software and even sandboxes find it difficult, if not impossible, to detect and stop the attacks. And, the hackers constantly refine the malware used after they are able to infiltrate the targeted network, making life difficult for scans to detect their presence. Plus, they switch up their TTPs on nearly every attack launched.
So, if legacy anti-x software cannot stop the attacks, and detection tools have difficulty locating the attack and malware after it has been deployed, then how can attacks by FIN7, JokerStash, Anunak, Carabank, or whomever be stopped?
There is a need for a new approach to preventing cyberattacks such as this. That new approach is already here. It’s called isolation.
Referred to as either web browser isolation, remote browsing, or simply isolation, the concept is pretty simple: Instead of detecting malicious emails, attachments, websites and downloads, instead of creating trusted whitelists and untrusted blacklists, instead of trying to outrun zero-day attacks, isolation preaches don’t trust anything. Don’t trust a website, or an emailed web link, or a document attached to an email. Because, today, just about anything – any document, website, web application, anything – can be “weaponized” and used to launch an assault on a user, device, network, and data.
If the email the victim at Hudson’s Bay Company received had a file attachment – a typical ploy of FIN7, JokerStash, Anunak, Carabank, etc. – and the user downloaded the malware-infused attachment, once again, with isolation, there would be nothing to fear. The attachment, usually a document of some type, can be transformed in the isolation environment into a safe HTML version, presenting the user with a safe version of the document. So, the original, malware-laden document never reaches the user’s web browser. In a two-stage attack, in which the initial malware may be a dropper, the initial malware may attempt to download another infected document file or reach out to a command-and-control (C&C) server to download new or additional malware. In this instance, the downloaded document file would once again be isolated and rendered as a safe HTML version; or the downloaded malware would pass through the isolation environment, and again be halted before reaching the user’s browser and device. No malware is downloaded, no attack happens.
And, over 5 million consumer credit and debit card numbers wouldn’t be up for sale to the highest bidder on the Dark Web.