A hacking group has gained access to the internal infrastructure of large cloud services provider PCM.
California-based PCM provides a mixture of solutions including cloud services and hardware, and made over $2bn in revenues in 2018. According to a report by specialist cybersecurity journalist Brian Krebs, the company discovered the breach in mid-May. Sources told him that the attackers stole administrative credentials for Office 365 accounts, and that they were mostly interested in using stolen data to conduct gift card fraud.
The modus operandi in this case was similar to other attacks on large IT providers we’ve seen, in which the hacking group sends phishing emails to companies including retailers, employee reward programs, customer loyalty and recognition businesses, and other organizations dealing in gift cards.
After compromising a system, the group would use a custom version of a malware strain called Mimikatz, which collects usernames and passwords from memory.
Once the group has access to the infrastructure of companies that deal in gift cards, it would then use money transfer services, payment processing services, and clearing houses to monetize that information. The report added:
A possible theory for targeting could be that gift cards provide access to liquid assets outside of the traditional western financial system.
Krebs believes this group began its hacking campaign in 2016, focusing initially on retailers. The report added that it didn’t expand to target IT hosting companies like PCM until this year, suggesting:
Actors could be looking to target the third-party provider to compromise multiple organizations.
PCM confirmed to Naked Security that a “cyber incident” affected some customers, but that no consumers’ personal data was lost. PCM sent us the following statement concerning the breach:
PCM recently experienced a cyber incident impacting a limited number of its corporate customers. Based on thorough investigations conducted, no consumers’ personal information was accessed or acquired by an unauthorized party. As the company has previously stated, impact to its systems was limited, and the matter has been remediated. To the extent any corporate customer was potentially impacted by the incident, those customers were contacted and PCM worked with them to address any concerns they had.
Whether you’re a cloud provider, a hosting company, a small business or even just a home user with a laptop, breach prevention is always way better than cure – not least because after a breach, it’s really hard to be absolutely certain what happened.
The crooks know exactly what they stole, and can prove it if need be by leaking your data to the world. But you’re left trying to prove a negative by figuring out what they didn’t get.