The rise of digital tools and connected systems has also led to an increase in cyber attacks on businesses in Canada and around the globe. Here’s what auto retailers need to know about these attacks, and how to protect their dealerships. 
In 2017, nearly one-fifth (21 per cent) of businesses across the nation reported cyber security indents affecting their operations, according to Statistics Canada.
Many of these incidents prevented employees from carrying out their daily work, included additional repair and recovery costs, resulted in lost revenue, and even damaged the reputation of the business. Worse yet, that number is rising and is poised to impact car dealers on various levels, according to David Masson, Canada Country Manager for Darktrace.
“Car dealers have a lot of information, they’ve got a lot of data. They’ve got data for their customers, they’ve got data for the vehicles they’re selling, they have customer relationship management (CRM) systems, which are very important in running their business,” said Masson. “In many ways these days, data is currency, and that’s why people go after it. They try to steal your data and sell it, and sometimes (they) try and stop you from getting access to it.”
“In many ways these days, data is currency, and that’s why people go after it. They try to steal your data and sell it, and sometimes (they) try and stop you from getting access to it.”
— David Masson, Canada Country Manager, Darktrace
Masson said these hackers, or “the bad guys” as he calls them, can wreak havoc on your network within seconds, though it often takes 100 days for someone to notice that something is wrong — and it some cases it can take years.
Types of cyber attacks
Data manipulation
There are many forms of cyber attacks, but one that has been on the rise is the manipulation of digital information: changing or tampering with the integrity of your data, whether it’s your CRM system, pricing formula, vehicle information, or something else. Masson said it’s considered a very insidious and boring attack, but one that can easily make you lose faith in your own system.
Phishing attacks
Phishing is a type of social engineering attack. It’s among the most popular cyber attacks, and it’s often used to steal user data — including login credentials and credit card numbers, along with other confidential data, according to Jean-Philippe Racine, president of the Quebec-based CyberSwat Group.
“It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message,” said Racine. “This is often the first step of an attack.”
Racine said many small and medium-sized businesses feel their information is not valuable enough for hackers to steal, but they are wrong. “Most cyber security attacks are automated and target random companies. This could be you.”
A recent survey by the Canadian Internet Registration Authority (CIRA) concerning cybersecurity of small and medium-sized companies in Canada revealed that 32 per cent reported that their users had unknowingly divulged information to phishing tactics within the last year.
Another type of attack that may seem like phishing but can be categorized separately is the theft of personal data for sale on the digital black market.
“Social security numbers, names, addresses, phone numbers, and driver licence numbers are all information that dealers use when financing a car; this information is very valuable for hackers,” said Racine. “If they hack a dealer’s website or internal servers and steal a client’s personal data, they can sell the data on the dark web or use it directly to identify thieves.”
One identity could sell for between $60 and $80 USD on the dark web, based on a November 2017 article of PC Magazine.
Ransomware
Based on the survey by CIRA, 19 per cent of companies reported having been affected by ransomware.
Racine describes ransomware as an attack that does not affect the confidentiality of the information, but rather the availability of it. In other words, dealers would need to pay a ransom to hackers if they want to get their information back.
“During a phishing attack or when browsing on the web, someone could open a file that contains a virus; this virus will encrypt all the data of the company and a ransom will be asked,” said Racine. “The dealer will only have three choices: restore their data from a backup, try to decrypt the data, or pay the ransom.”
The problem, he said, is that decrypting the data is not always possible, and the dealer may discover that their backup strategy does not permit them to recover all the data.
“Many small and medium-sized businesses feel their information is not valuable enough for hackers to steal, but they are wrong. Most cyber security attacks are automated and target random companies. This could be you.”
— Jean-Philippe Racine, President, CyberSwat Group
Generally, cyber security companies do not recommend paying the ransom, but sometimes the only option is to pay it anyway. Racine said he is aware of some companies that had to restart from scratch after losing all their data. The problem with this option is that it helps the “bad guys” receive more money, which they can then invest in Research and Development (R&D), and that in turn provides them with the ability to better attack businesses.
Ransomware is one of the most popular forms of cyber attacks and it is considered a big issue for all types of companies, including dealerships.
Gift cards, wire transfers, and email
There are many forms of phishing attacks, but an interesting one that has been creeping up has to do with gift cards, according to Sean Thomas, VP of Technology at Dealer Security and Solutions Architect at A&R Solutions.
In this case, the hacker will connect directly with a salesperson, well-aware of when they are on a shift, and email that person pretending to be someone at the dealership. Then they will ask them to pick up some iTunes gift cards.
The situation would be something like this: “Hey, can you pick up five gift cards for me for a promotion we’re running? We’re going to give them away,” said Thomas. And then what they’ll do is about 10 minutes later they’ll email them (the salesperson) back and say, ‘Hey, I really need them right now. We just sold two cars. Can you scratch off the back, take a photo and just email it back to me?’”
It may not seem like a big deal at first, but when the cards range from $200 to $500, the cost can add up quickly. Thomas said he originally started seeing this issue creep up in dealerships more than six months ago, and that these incidents point to the “bad guys” viewing dealers as “the low hanging fruit.” That view is based on significant turnover in the industry and a lack of proper training. If the dealership does not have the budget to invest in security measures for their Information Technology (IT) department, then they may be an easy target.
Other forms of cyber attacks in the sub-phishing category include wire transfers and emails. “Wire transfers are nothing to them (hackers), so that one’s big,” said Thomas. “The other thing that’s becoming better is the writing and grammar in (phishing) emails.”
In the past, it was often an English as a second language person writing the emails, but Thomas said the grammar and sentence structures are now flawless — which can make the email appear trustworthy.
Based on data of a medium-size automotive group of 500 users over a 30-day period, which included 975,000 emails received and 135,000 emails sent, Thomas discovered:
Cyberattaques
• Malware found and removed (109) Email where the attachment was found to have malware
• Data leak prevention (33) An employee, malicious or not, was sending sensitive information across unencrypted email
• Spoofed emails (external) (5,112) Email that was spoofed, i.e. did not originate from where it said it originated from
• Malicious URLs (731) Email where a URL contained in it was to a malicious, usually malware, site/document
• User impersonation (1,243) Email where someone was pretending to be someone they were not
“There are many forms of phishing attacks, but an interesting one that has been creeping up has to do with gift cards”
— Sean Thomas, VP of Technology, Dealer Security and Solutions Architect, A&R Solutions
• Phishing attacks (3,318) Email where someone was trying to gain access to a corporate system, either an individual’s account or something company wide
• Brand impersonation (10) Email where someone is pretending to be a brand, i.e. Microsoft
• Domain impersonation (1) Email where someone is pretending to send from a specific domain when they are sending from another
How to protect your dealership
There are many methods that dealers can use to protect their dealerships from cyber attacks.
• Don’t share confidential data about your clients, such as a social security number, driver’s license information, and other information by email. (CyberSwat)
• Update your system, especially if your dealership has old computers or computers that have not been updated, including things like operating systems, browsers, and software. (CyberSwat)
• Restrict software and set up administrative rights to ensure nothing is installed on your computer without authorization. (Darktrace)
• Create an advanced password, have your employees do the same, and advise them to stop reusing passwords for multiple sites. (Darktrace)
• Have your dealership staff trained on what to do if you are unsure about an email received, how to handle attachments, review how the email system works, and how the computers work. (A&R Solutions)
• Make sure the email address is the correct one. Does the person have a signature? And if so, is that signature in the request for a wire transfer? Does the signature read, for example, “Hi Timothy” when the employee or client typically calls you Tim? (A&R Solutions)
For dealers using Microsoft Office 365, there is also a lot of the available functionality, in terms of anti-phishing, anti-spam, anti-malware, and more. Dealers can also install a firewall and software that prevents viruses, spyware and phishing attacks, and they can block access to restricted sites through Internet filters.
Creating a strict policy for the dealership to ensure no one is using public Wi-Fi, and introducing an internal reporting protocol to alert the company of spam or phishing emails that are being distributed is also important. Most of all, experts recommend dealers to consult with a professional and discuss how to dispose of tangible and intangible data.
