Author: Bilge Ceylan, Associate, EMEA – Cyber Security
The art world has turned increasingly to technology to support its operations and with it, so has the risk from cyber attacks. Threat actors are increasingly targeting their vendors and third parties to carry out malicious activities, and any platform or system used represents a potential target. In the art world, this typically involves third party digital payment platforms and communication channels.
Digital Payment Platforms
Following the onset of the pandemic in early 2020 and resulting series of lockdowns, many galleries and auction houses created new ways for collectors to acquire pieces. Many institutions expanded their virtual presence to maintain their customer base and attract new buyers. Sotheby’s, one of the largest auction houses in the world, held over 100 online sales between March and June 2020, representing a 150% increase in sales during the same period in 2019.[1]
In-Platform Vulnerabilities
Galleries and auction houses accelerated their use of digital payment platforms such as Stripe, PayPal and Braintree, which brings a host of new cyber security vulnerabilities. For example, in March 2021, the digital payment platform MobiKwik was reportedly hacked, exposing the details of 100 million MobiKwik users’ data for sale on dark web. Although MobiKwik denied the data breach, media outlets reported that customers’ phone numbers, email addresses, signatures, transaction logs, partial payment card numbers, passwords, and personal identification documents were exposed.[2] Although a business may have strong internal cyber defences, vendors and third parties access considerable amounts of sensitive data and customers are unlikely to distinguish who leaked their information. As a result, entities may become the subject of litigation from customers impacted by a data breach and suffer reputational damage.
In 2020, PayPal, another popular payment platform, announced a vulnerability affecting the password authentication function on one of their most visited pages. The vulnerability allowed an attacker access to users’ PayPal passwords if the users followed a malicious link, such as those employed in phishing emails.[3] During 2020, PayPal also disclosed a cross site scripting vulnerability related to its currency conversion endpoint that allowed threat actors to inject malicious JavaScript into victim’s browser, granting them access to sensitive data or control of a device.[4]
While there is no sure-fire way to ensure third parties are not the subject of a breach, conducting cyber due diligence and regular reviews of counterparties’ internal controls and data safeguarding processes are important steps to help limit the potential for these types of incident.
Stolen Credit Cards
Another payment-related concern for art and auction businesses is the use of stolen credit cards numbers to conduct fraudulent payments. Thousands of stolen credit card details are accessible on underground marketplaces on the dark web that threat actors can purchase for just a few dollars and potentially use to make purchases. While most payment platforms may have fraud detection systems in place, these systems typically operate based on card owners’ previous behaviour and spending patterns. If a threat actor purchases a stolen credit card and then uses these details to purchase a high-value piece from an art gallery, this initial purchase may not be registered as suspicious if the original credit card holder has made recent expensive purchases. It is usually only if repeated attempts are made to purchase expensive goods over a short period of time that the system flags the activity.
Art businesses can protect themselves from fraud by employing a personal verification system for high-value items, which requires purchasers to confirm their identity through two factor identification such a phone call confirming the purchase or requiring proof of identity.
Communication Channels
The widespread transition to remote working following the COVID-19 pandemic has meant that galleries and auction houses have also increased their reliance on internal communication, such as Zoom and Slack, and GPS tracking tools, such as Orion Data Network to discuss high-value transactions and monitor art movement. Threat actors can exploit these technologies to carry out malicious activities, including to intercept and steal high value art pieces, overcome physical security measures, conduct ransomware attacks, and gain access to internal networks.
Malware: RATs and Infostealers
Threat actors do not need sophisticated skills and technology to breach these platforms – by using open source research or credentials sold on the dark web, they can overcome security systems in place. Once an actor has gained access to a platform, they can gather further information about ongoing transactions and upcoming events. Threat actors may also use collaboration platforms to upload malicious files, including remote access Trojans (RATs), information stealer malware, or spread into the system through internet of things (IoT) malware, which could then allow them to gain command and control access.[5]
Malicious File Upload and Transmission
Threat actors can also leverage messaging applications to impersonate a colleague to spread malicious links, while some applications also allow malicious content to be stored in the platforms and delivered to a user. In most messaging applications, file transmissions are supported, allowing users to attach files. These applications contain Content Delivery Network (CDN), which stores files and allows server members to access these files. If a file is uploaded to the CDN system in Discord, for example, the file can be accessed via the CDN URL by any system, even if the Discord application is not installed. Slack also has a similar functionality that can be exploited by threat actors, allowing them to upload malicious files to the messaging platforms to create links that seem legitimate, but in fact host malicious content.[6] These links are difficult for security filters to detect and are more likely to be accessed by a recipient due to their use of reputable domains.
Possible Defence Strategies
The most effective means of defending against these types of attacks include educating staff to be alert to suspicious communications and monitoring criminal chatrooms and other forums on the deep and dark web for sensitive information being sold or shared. If a business suspects an adversary has infiltrated their network, a specialist digital forensics teams should be hired to conduct threat-hunting exercises to identify their tracks and formulate a strategy to expel them from the system.
Cyber attacks can levy significant damages to organizations both from business costs as well as customer trust. As galleries and auction houses become increasingly reliant upon new technologies, they should seek to protect themselves from cyber threats both to external and internal technology.
[1] https://www.artnews.com/art-news/market/online-art-collecting-coronavirus-pandemic-1234573318/
[2] https://www.indiatimes.com/technology/news/mobikwik-data-breach-hack-credit-card-pan-card-database-dark-web-537273.html
[3] https://www.forbes.com/sites/zakdoffman/2020/02/22/paypal-critical-login-hack-new-report-warns-you-are-at-risk-from-thieves-heres-the-reality/?sh=253e3286445e
[4] https://www.zdnet.com/article/paypal-fixes-reflected-xss-vulnerability-in-business-wallet/
[5] https://blog.talosintelligence.com/2021/04/collab-app-abuse.html
[6] https://blog.talosintelligence.com/2021/04/collab-app-abuse.html
