Cyber Week in Review: Whole Foods, Flathead Valley School, WordPress

Media Division | October 13, 2017

Another week, another series of cyber crime activities in the cyberverse.  Some weeks we look at the international impact of cyber security. Other weeks we consider points closer to home. This week the cyber events on which we will be reporting hit some of the topics closest to home: schools, groceries…and blogs…is nothing sacred!?

Indeed, from the way that we live day-to-day lives and store or access the tools that connect us all, to the broadcasting of thoughts and data across that cyberverse, we’ve never been so connected as a human race–nor so vulnerable.

Here are three of this week’s top cyber stories, including some lessons learned for next week (and beyond).

Hold on to Your Paycheck

Upscale supermarket chain Whole Foods (AKA “Whole Paycheck,” for their higher-than-other-chains-particularly-Trader-Joe’s pricing) has seen lots of recent payment activity. The Austin, Texas-based supermarket has 449 stores in the US (the 9th-largest by volume), but was recently purchased for $13.7 billion by the online retail giant Amazon Fresh. Just a couple of years ago we speculated that Amazon planned to venture into the $800 billion supermarket industry, to compete from that angle with such retailers as Walmart and Costco. Well, now it has.

It’s almost as if some hackers wanted to give Amazon and Whole Foods a present for their nuptials because the ink had barely dried on the deal when word broke of the breach. Whole Foods made the announcement via their site. The breach only appears to have affected the point of sale (POS) systems in their store restaurants and taprooms. Not all of their stores have tap rooms or restaurants, but many of them do. Whole Foods reassured grocery-only shoppers by stating, “These venues use a different point of sale system than the company’s primary store checkout systems, and payment cards used at the primary store checkout systems were not affected.”

The announcement goes on to say that Whole Foods hired a “leading cyber security forensics firm” (no word on which one yet, or we’d gladly report it). They also assured customers that the Whole Foods POS system does not in any way connect to the system, so no Amazon transactions were affected by the cyber security breach. The site also has a drop-down menu option for you to search your state and city to see which venues may have been breached.

A little over a year ago we learned that Whole Foods was replacing all of their legacy systems. The prior system had apparently been “homegrown,” and the newer one was to be a combination of systems for a smoother and more integrated solution. Everything from payroll to checkout was getting streamlined (and largely cloud-based).

So if they moved to a streamlined solution, why the announcement including a “different point of sale system”? While Whole Foods and the vendor could not be immediately reached for comment, it may also have been a breach of Square, the iPad-based POS system Whole Foods once stated would become part of their overall POS solution.

A cloud-level breach or a breach of a $2 million provider like Square, would both be further bad news for retailers. Some good news would be if the limitations of the data breach (not spreading to other POS systems under the same roof), actually represented a compartmentalization of their systems–something retail cyber security advisors have advocated for years!

For now, Whole Foods is saying updates will come, and to check your card statements for fraudulent purchases, the same lackluster-but-necessary advice offered after every cyber crime.

The Kids in the Hall Hack

Every business is in the cyber security business, whether intentionally or not. Just as businesses of any size manage payroll, renew elevator permits, or accept inspection from the fire marshall, using computers, for anything, means that cyber security is part of your business. To the degree that that is understood and addressed, you have better protective measures in place.

Schools aren’t always seen as a business, much less as a cyber-based business, and yet in so many ways they are:

  • Digital connections – As many as several thousand devices connected to or around schools, when factoring in student personal devices.
  • Employee information – Like other businesses, schools retain massive quantities of employee data that can fetch a price on the cyber black market.
  • Financial information – Just as other businesses offer direct deposit or pay vendors through electronic means, schools risk exposure or theft of financial information through digital means. (Just look at this horrific example unfolding from Atlanta Public Schools, where paychecks were stolen and direct deposits changed).
  • Student information – Schools are in the same category as doctors’ offices when it comes to personal data on file because they also have such information on record as names, addresses, social security numbers, school-related medical information or doctor’s data, parent information and even report cards or disciplinary data all on file.

Yet school systems don’t necessarily think about preventing cyber crime until they’re the victims. The latest victim is in Montana, where the Flathead Valley Schools (more than 30 public schools) closed their doors for two days (plus weekend activities) in response to threats stemming from a hack, which may have had international origins. According to their local news, the FBI has gotten involved in the attack. The culprits appear to be TheDarkOverlord, a self-proclaimed security “solutions” company. Many of the clues about the case come from their ransom letter itself, such as the inconsistencies in grammar, spelling (“honour” for honor), and reference to “your little corner of the world” that seem to indicate a foreigner.

Not only does the letter itself has a threatening quality, but country residents also received threatening and upsetting texts. Local schools released press releases asking that “No individual engages them and responds in any way.”

So what could a hacker (or hacking group) possibly want with a Montana school district? Beyond all of the reasons for data breaches described above, this particular request included a threat to enter into some sort of “arrangement” for cyber security. “If you don’t do what we propose,” they threatened, “we can and will cause you a lot of financial and reputational damage. We are prepared to contact every single one of your students and their parents and share with them this entire experience and ordeal in order to help them understand and become aware of your shortcomings and that you are responsible for their suffering unless you comply with us.”

The threats of the ransom note also included multiple references to the Sandy Hook school shooting, as well as a menacing statement about contacting the FBI.

  • “[The FBI] will advise you not to respond to us or to satisfy our demands and we promise you this would be a most grave mistake. We always encourage our new clients to comply with us or we will end up costing your operations great financial losses and your personal lives will be left forever affected by our levied punishment.”

Local news reports state that the FBI and sheriff’s office did get in contact with the party sending the threats.  This is another one that we will have to see exactly how it unfolds. In the meantime, there’s some schooling going on about cyber security. For one, the ransom letter suggests that other schools may have received similar threats and entered into some sort of “agreement” with the cyber threat actors. Also, just earlier this year the National School Boards Association (NSBA) issued guidelines, “Data Security for Schools.”

The difficulty for schools stems in part from a lack of awareness, but also for a lack of cyber security resources and unified policy. The NSBA wanted to shed a little light on these sorts of concerns, so that schools can adopt more codified measures of security, including more compartmentalized systems. (If the hackers of Flathead Valley Schools are to be believed, they had such blanket access to systems they could even access the webcams of student laptops.)

For now, school is back in session and the FBI is continuing the investigation. Other schools and businesses may take a page from this book and be proactive about preventing cyber crime.

Holy WordPress, Batman!

In other news this week, a mega attempt on a mammoth organization–WordPress. You’ve probably heard of WordPress, you likely use it, and yet you might not know that you are one of 409 million viewers–because WordPress now “powers more than 25% of the world’s websites.” (Get that statistic and other astounding figures about WordPress in this article at Forbes entitled “How WordPress Ate The Internet in 2016…And The World in 2017”…it’ll blow your mind!)

It’s almost as though you can’t have a large target without somebody trying to hit it. The news first broke at Sucuri: someone had made fake plug-ins for WordPress. Like most fakes, they made the name similar to a legitimate plug-in. That’s the technique used in all kinds of phishing scams, spoofed websites and other hacker tactics. You get an email from “Yahoo” without the exclamation mark or “” with one “p,” and suddenly you’ve fallen for the bait.

This time the bait was designed to look like security plugins for WordPress sites. The real plug-in is called WP-SpamShield Anti-Spam. The fake went by the innocuous-sounding X-WP-SPAM-SHIELD-PRO. It masqueraded as a security scrubber, with subfiles that also sounded legit. It disables all your plug-ins (making its life easier), then steals your admin usernames, adds an additional administrator (itself), pings home (to inform its creator of installation status), and contained a backdoor “update” function, allowing them to upload anything to your site, among other features.

While malware can be purchased on the dark web, this one had some pretty sophisticated coding. Fortunately, after the Sucuri article, the WordPress community quickly spread the word and the malicious, phony plug-in was deleted. This wasn’t the first time someone tried to infiltrate WordPress, nor shall it likely be the last (again, just given the sheer size of the target). So, investigate plug-ins in a secure space before you go installing them, as a word of advice.

Tune in Next Time

Well, off we go to update our own blog and continue to research, analyze, and rescue organizations, one company at a time. Until then, tune in next week, same bat-channel, same bat-time, and enjoy the headlines…but stay out of them.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.