US federal authorities, as well as Wapack Labs, are suggesting that auto dealerships should treat the threat of cyber-attacks as important as any other part of their business.  “Dealerships are in control of some important data and protecting that data is critical to both themselves and their customers,” says Special Agent E. Parmelee of the FBI’s Cyber Division.  When asked about the most pressing cyber threats that dealers face today, Federal Agent Ed Parmalee said, “The most pressing threats facing everyone is business email compromising, ransomware viruses and the Internet of Things, or IoT.” 

A business email compromise is a phishing scam where a fake email is sent to elicit a response from the user.  The bad actor will do a quick study on the dealership, its business practices, how it transfers money, and (how it works with) vendors.  This is called reconnaissance or social engineering. 

An example provided is that a dealership has a large continuous shipment of auto parts from various vendors.  A criminal hacker can often easily figure out who controls the wire transfers in the dealership and will send a false invoice from a vendor requesting payment.  Because a busy dealership has the high volume of business, these dealership employees will quickly click on the invoice and just pay the bill; which is fake.  Savvy criminals will use their network and account for a short time period and then they close it and move on.[1]  This tactic will many times avoid accounting detection and any law enforcement action.   

So how can a dealership identify this scam?  Scammed invoiced documents almost always have subtle differences in what a normal invoice may look like.  One look at the email, as it will often be “spoofed.”  The email name could have a double “l” or a double “e.”  Instead of using double “l’s” in the email address they’ll use the number “1.”  If the user does not take the time to double check these substiles, small to large loss of money may be incurred.  Sometimes the language used in the invoice is close to a legitimate one, but has small differences.  Other dealership related documents can also be spoofed and used to trick users.  Employees should trust the email, but verify it through a double check of email addresses, documents and language changes.  If the invoice does not look quite right, call the vendor and verify their sending of the invoice.[2]     

The City of Baltimore was recently hit with ransomware that crippled their services.  Ransomware is a specific type of malware that infects a computer network.  The victim may open an email attachment or visit a compromised website that would have the malware embedded in it and then in turn infects the dealership network. 

The ransomware spreads through the network and encrypts, or locks, files and/or the system to make them unreadable.  The criminals will, in short order, offer the dealership a decryption key in exchange for money, often through e-commerce services like Bitcoin or Monero.  Ransomware can infect your network from clicking on a legitimate sourced link, or from simply surfing the web and clicking on a bad site.  When employees finish their normal work and get bored, they often “surf” the Internet and at times click on untrustworthy websites.  Pornography sites are notorious for tricking people into clicking onto a bad site.  If the ransomware gets into your network, the system will normally receive a “splash screen” that announces “you’ve been locked out” and you have to pay this amount of money in exchange for the decryption key to get your files back.  Dealerships now have two immediate choices to make: pay their ransom or restore their network from backups.  This is, if the dealership backs-up their network data.[3] 

Often law enforcement discourages paying any ransom.  But if a dealership does not have backups or even a basic cyber response plan; you may have to pay the ransom.  This is a difficult call, but getting back to business has to be weighted against catching the bad guys, who are often foreign nationals and may never get apprehended.  Wapack Labs encourages dealerships to have an inclusive cyber response plan and always backup your data on a daily basis.  Your network or multiple networks should be kept “air-gapped” from your main network, which means systems should be segregate and not connected so they cannot be compromised by any malware.  Backups need to be free of malware, so they do not re-infect your network. 

Dealerships should always have a proven antivirus installed on your network.  Your firewalls can be tuned to have mitigation techniques in between the Internet and your network.  Wapack Labs can provide these protections. 

Your main mitigation approach is to have all your employees trained to recognize suspicious websites and activity via email and to practice good, solid cyber hygiene in their daily routines.  This is true from an entry level employee, to one who has been with the dealership for years.  This training should be on a recurring basis.   

Customers at times bring in their “files” on some sort of media, like a thumb drive, and they want to plug that into the dealership’s computer so they can show the salesperson details of their car research and our financial information.  Never, ever permit anyone to place data into your network in this fashion.  If you want to provide this type service, provide a stand-alone computer for this purpose.  Your network should routinely run an antivirus program against it to ensure the files are not infected.  

Internet-connected, or Internet of Things (IoT), devices are increasingly used to enhance efficiency and convenience both on dealership operations and the cars themselves.  Check out the service shop areas and you will find many mechanics who are actually “technicians” and use computers for diagnostics on the cars in the shop to be serviced.  These type connections to the Internet greatly increase the vulnerability to be targeted by malicious actors. 

These type devices are particularly hard to protect against, as there is a significant difficulty in patching vulnerabilities in all these devices.  Criminals can use these IoT opportunities to remotely facilitate attacks on other dealership internal systems and possibly send malicious and spam e-mails, steal personal identifying information or interfere with daily operations.  If technicians, sales or other personnel want to use their own devices at work, the dealership’s answer should be, “no.”  That type practice has the potential to open up huge cyber problems.  This prohibition should be a part of a dealership cyber mitigation plan and taught to employees for “good cyber hygiene.”   Teach them to understand that what they do on their computers can have disastrous effects on “their” dealership. 

Once a cyber plan is developed, cyber education implemented, air gaps created and antivirus installed, cyber security experts suggest dealerships conduct regular penetration tests with their network.  This type testing is an attempt to discover vulnerabilities in a dealership network prior to a bad actor getting in and stealing data, infecting the network, holding it for ransom or just destroying it for the sake of cyber vandalism or revenge.  Dealers can do these tests with their in-house IT staff or they can hire a third party, like Wapack Labs. 

Dealers can also review the US Department of Homeland Security and Federal Trade Commission websites to educate staff and employees on mitigation techniques to use in-house.  Or simply call Wapack Labs. 

Wapack Labs is located in New Boston, NH.  We are a Cyber Threat Analysis and Intelligence Service organization who can provide personalize cyber support to dealerships to help keep them cyber safe.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or    




E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance