Find out how to protect your petroleum retail assets from cyber attacks and discover 6 steps to take once you uncover a hack, how to notify data breach victims, what to do if you discover malware, red flags to watch for on social media, and more!

1. Cyber attacks are becoming more and more common. Besides
the obvious damage an attack of this kind can inflict on your
business, cyber crimes can erode your customers’ confidence in
you and keep them from coming back to your site.
This Oil Express Special Report spotlights recent cyber attacks
in the retail space and points out the lessons you can learn so it
doesn’t happen to your business!
OIL EXPRESS SPECIAL REPORT
Weak Links:
Cyber Attacks in the News &
How to Protect Your Assets

2. Criminal Mind: Case Study
of a Gas Station Data Threat
A recent case study from security consultant Verizon Enterprise
puts you inside a payment card harvesting scam.
The culprit is an employee of the vendor providing general
IT and point-of-sale support to a gas station chain. The
vendor connects via remote desktop over VPN to the
payment-processing server.
The unscrupulous employee seeks out late-night assignments
over weekends – when no one is around – and uses remote access
to customer systems to harvest payment card data.
He obtains the magnetic stripe
sequences for conducting
payment card fraud then he
resets the clock to the correct
date and time.
He verifies no other
active log-ins were
in progress, sets the
system clock forward or
backward in time and
modifies a configuration
file to enable a debug
setting in the payment
application. A shared
log-in is used.
This allows him to create
an output file capturing
clear text copies of
authorization requests
from each fuel pump.
–– Never assume a POS vendor has strict security practices.
–– The help desk should never share log-ins. “The shared log-ins limited
accountability and gave the threat actor the confidence that he could
get away with it,” said Verizon.
–– Usetwo-factorauthenticationforremoteaccessintothePOSservers.“A
keyloggeronanyofthehelpdesksystemsisallthatitwouldtakeforthis
tomorphfromapartnermisusebreachtoawidespreadexternalbreach,”
Verizonsaid.
He covers his tracks by conducting all malicious
activity only on his manager’s desktop system.
WhatCan
YouLearn
FromThis
CrimeStory?
Oil Express Special Report | 9737 Washingtonian Blvd, Ste 200, Gaithersburg, MD 20878-7364 | 888.301.2645 | www.opisnet.com 2

3. Verifone Acknowledges
Attempted Hack at
Gas Stations in the U.S.
Even a leading equipment vendor that provides data security solutions can be
vulnerable to attacks from hackers.
Verifone sells file authentication software called “VeriShield Retain” that’s designed
to provide protection against unauthorized access to payment devices. It also offers
“VeriShield Total Protect” end-to-end data encryption designed to protect data from
the point of capture, its website says.
But the large point-of-sale systems vendor said hackers attempted a “cyber
incident” in January 2017 at approximately two-dozen U.S. gas stations. No other
merchants were targeted, Verifone said in a statement without disclosing the
location of the affected gas stations.
The newsletter “Krebs on Security” reported that the breach affected companies
running its point-of-sale solutions, though Verifone was quoted saying the breach was
limited to its corporate network.
Last year, another large vendor that supplies
gas stations as well as many other retailers
with point-of-sale systems also experienced a
breach, according to an alert from Visa.
On Aug. 8, Oracle Security informed customers
of POS provider Oracle MICROS systems to
change their account passwords immediately
because it had detected malicious code in
certain legacy MICROS systems, Visa said.
Oil Express Special Report | 9737 Washingtonian Blvd, Ste 200, Gaithersburg, MD 20878-7364 | 888.301.2645 | www.opisnet.com 3

4. Steps You Can Take
if You Discover an
Attempted Hack
Proactively notify Visa, MasterCard and other card networks
even if, as was the case for Verifone, the incident appears to
be a “very limited cyber intrusion” into a corporate network.
6
Implement additional security controls across corporate
networks and determine the type of information that may
have been targeted.
Even if you, like Verifone, believe there were “no adverse
events or misuse of any data resulting from this incident,”
continue to monitor for data misuse.
Give your company staff and contractors 24 hours to change
all company passwords and provide a list of criteria to make
passwords more secure.
Passwords should be at least 12 characters, must be original
(not used by the same employee before) and must contain
uppercase and lowercase letters of the alphabet and non-
alphanumeric characters such as @, # or *.
Limit end users’ ability to load additional software
on laptops and desktops as a security measure.
1
2
3
4
5
6
Oil Express Special Report | 9737 Washingtonian Blvd, Ste 200, Gaithersburg, MD 20878-7364 | 888.301.2645 | www.opisnet.com 4

5. MAPCO Case Offers How-To
on Notifying Breach Victims
Early this year, large Southeastern retailer MAPCO Express Inc. settled lawsuits with
consumers and financial institutions for almost $2 million following its 2013 data breach,
according to legal documents.
About 185,000 accounts were compromised in the breach, records showed.
The notification of potential victims that MAPCO undertook exposes the monumental task of
exercising due diligence when disclosing the risk of fraud.
There are notice laws covering data breaches, on top of reaching out to customers in good faith and
following court orders. MAPCO’s more than 6.5 million digital notice impressions delivered by their
campaign well exceeded the 2.5 million impressions specified in their court-approved notice plan,
according to case documents.
Listen to Concerns
Respond to written mail
from potential victims. Your
customers need to hear
from you to address all their
potential issues.
Send Emails to
Permissioned Lists
All MAPCO “My Rewards”
customers who shopped
at a MAPCO location between
March 1, 2013, and April 30,
2013 received a direct email.
Go Digital
MAPCO included a social
media pitch to 5+ million
Facebook users with interests
similar to their customers’
as well as banner notices on
local news websites.
Consider Ads
MAPCO had 4,096 paid search
notice advertisements on
Google, where search engines
linked to search terms relevant
to the settlement.
Create a
Settlement Website
Post claim forms, important
dates and deadlines, legal
documents, notices and
frequently asked questions –
link digital advertising to site.
Hit the Phones
Set up an automated,
toll-free hotline available
around-the-clock every day
to answer questions on the
breach and settlement.
Oil Express Special Report | 9737 Washingtonian Blvd, Ste 200, Gaithersburg, MD 20878-7364 | 888.301.2645 | www.opisnet.com 5

6. Beware of Scams Like One
That Targeted Kroger
Kroger was reported to have been the recent target
of a phishing scam.
The bogus email, supposedly from the company’s
help desk, was an attempt to get employees of
the large fuel retailer and grocer to click on a link
leading to a website that would allow crooks to
obtain tax information.
The Kroger email thanked the addressee for
“choosing to receive your Kroger employee U.S. tax
statements electronically.” It provided a link to a
website and said that due to a change in privacy policy, employees must enter the site
to get tax information with their user ID and password. The “tax statements” could be
viewed or saved to the employee’s computer or printed from the website, the email said.
The message said the tax statements would be available for viewing and downloading
through Oct. 15, 2017. After that time, the employee would have to pay a “replacement
fee” to access the information.
Kroger did not respond to a request for comment on the phishing attempt.
Further investigation showed the email did not come from Kroger.
The W-2 scam uses a corporate officer’s name to request employee W-2 forms from
company payroll or human resources departments. The scam is just one of several
new variations of targeted phishing scams that have appeared in the past year
that focus on the large-scale thefts of sensitive tax information from tax preparers,
businesses and payroll companies, the IRS says.
Oil Express Special Report | 9737 Washingtonian Blvd, Ste 200, Gaithersburg, MD 20878-7364 | 888.301.2645 | www.opisnet.com 6

7. FBIWarnsAgainstCyberRansom
The FBI recently posted an alert
concerning the growing cyber-threat from
ransomware, a type of malware installed
on a computer or server that encrypts the
files, making them inaccessible until a
specified ransom is paid.
Ransomware typically is installed
when a user clicks on a malicious link,
opens a file in an email that installs the
malware, or through drive-by downloads
from a compromised website. Drive-by
downloads do not require user initiation.
Recent variants have targeted and
compromised vulnerable business servers
to identify and target hosts, multiplying
the number of potential infected servers
and devices on a network. The crooks
are also charging ransoms based on the
number of hosts or servers infected.
Recent victims infected with this type
of ransomware variant have not been
provided the decryption keys for all their
files after paying the ransom and some
have been extorted for even more money
after payment.
The result: Victims could have to pay
more to get their decryption keys,
a prolonged recovery time and the
possibility victims will not obtain full
decryption of their files, the agency said.
The FBI does not support paying a ransom
and recommends reporting infections to
a local FBI office or to the Internet Crime
Complaint Center at www.IC3.gov.
Victims should provide: Date of
infection, ransomware variant (identified
on the ransom page or by the encrypted
file extension), company information
(industry, business size, etc.), how the
infection happened (such as a link in email
or internet browsing), requested ransom
amount, actor’s bitcoin wallet address
(may be listed on ransom page), ransom
amount paid, overall losses tied to the
infection and victim impact statement.
In a Tech Support scam, the subject claims to be a corporate employee or an affiliate
of a major computer software or security company offering technical support. From
Jan. 1 to April 30, 2016, the Internet Crime Complaint Center received 3,668 such
complaints with adjusted losses of $2,268,982.
Oil Express Special Report | 9737 Washingtonian Blvd, Ste 200, Gaithersburg, MD 20878-7364 | 888.301.2645 | www.opisnet.com 7

8. LatestScam:ThievesGetSocial
As more and more entrepreneurs promote their businesses on social media, fraudsters
are following them. The Federal Trade Commission (FTC) said it has received complaints
from small business owners that fraudsters have reached out to them through
Facebook messages.
The scammers are telling businesses they are eligible for or have won a business grant
from the government. The same fraudulent pitch also has recently gone out via email and
online ads and could be attractive to business owners interested in federal assistance. For
example, it may appeal to oil marketers seeking to diversify into alternative fuels.
The FTC also reports that social media scams designed to steal information and hack
your accounts appear to be from a “friend.” The scammers can spoof social media
messages to make them appear to be from a business contact. The fraudster could be
trying to get your cellphone number, for example.
Be sure to warn employees of this form of fraud, especially those responsible for
handling your Facebook page, website and other social media accounts.
The “Business Email Compromise,”
or BEC scam, cost some 14,032 U.S.
companies nearly $1 billion from
October 2013 to May 2016. The
scam involves fraudsters assuming
the identity of the CEO, a company
attorney or a trusted vendor and
making an urgent request for money.
TheFTCsaystowatchfortheseredflags:
–– The government will not contact you through social media,
email or text message to offer funds.
–– Real government grants do not require you pay first,
so avoid offers that require payment to get the assistance.
–– The government will not request your passwords before
providing a grant. If you get such a request, it is just a thief
trying to hack into your accounts to steal your money or to
impersonate you to defraud others.
Keep up with the latest news on cyber attacks, data breaches, and everything
else impacting the petroleum marketing industry — sign up for a free 2 week
trial to Oil Express. Visit try.opisnet.com/oe17008 to get started.
Oil Express Special Report | 9737 Washingtonian Blvd, Ste 200, Gaithersburg, MD 20878-7364 | 888.301.2645 | www.opisnet.com 8