Cybercriminals go where the money is.
During the busy holiday season, that means the retail sector. And as more retail sales occur online, that means e-commerce sites are in hackers’ crosshairs.
I just returned from the annual Retail Cyber Intelligence Summit in Denver, where I got the chance to talk with security experts at some of the largest retailers in the U.S. I’m going to tell you what they see as the biggest threats to their business, and how they’re using intelligence to stay ahead of criminals.
Phishing and Gift Card Fraud Threaten Brands and Their Bottom Lines
Phishing takes a lot of forms, but it remains the top concern on the minds of the retail chief information security officers I spoke to.
Spoofed email addresses can be used to gain access to supplier or customer login. Phony websites can be made to look exactly like those of major retailers. These can be used to capture and record credit card information. We’re seeing this data sold on dark web forums, along with email phishing kits that feature spamming services and automated controls that allow criminals with a bare minimum of skills to target companies.
On the other hand, hackers use stolen credit card info to buy gift cards. Sold on the dark web, these gift cards are then converted to cash. Gift cards can be a double whammy for retailers. The stolen credit card data used to purchase gift cards lead to chargebacks, while the customer service imperative of the retail industry makes it hard for brands to deny transactions based on gift card fraud. Nobody wants to tell valued customers that they’re connected to crime.
These two forms of fraud can cause lots of damage to a brand because of customer backlash. Customers don’t like finding out that their credit card data has been stolen; they expect retailers to keep that information secure. However, retailers may also feel blame for issues outside of their control, such as when a customer falls prey to a spoofed web page.
Sniffers Emerge as Silent Threat
Retailers are also beginning to pay attention to credit card sniffers — i.e., malicious scripts that are injected onto payment pages of e-commerce sites to scrape customer payment information, including credit card data.
Researchers have identified sniffers as the single greatest threat to the retail sector, accounting for 88 significant breaches in 2018. The highest profile breach was the attack against British Airways, in which the Magecart hacker group injected a sniffer onto the airline’s payment site, claiming 500,000 victims and ultimately resulting in a fine of £183 million, at the time the largest fine levied under the EU’s General Data Protection Regulation (GDPR).
Sniffers are a devastating threat because they can be difficult to detect. They blend in with legitimate parts of the e-commerce site, and don’t use a lot of code. That means they may sit in on a website for significant periods of time.
There’s an old saying: an ounce of prevention is worth a pound of cure. With cybersecurity, it’s often true. One of the emerging strategies to fight these threats involves monitoring unsavory corners of the internet where fraudsters gather to share notes and sell their wares.
The dark web is a robust network. Within it, cybercriminals buy and sell stolen card data, advertise counterfeit phishing sites, and teach each other how to deploy hacking tools.
These marketplaces are public, however, if you know where to look. When analysts monitor them, they can find out when someone is selling stolen card data from a particular retailer or determine when customers of a brand are getting hit with phishing campaigns. And with this information, they can take proactive approaches such as resetting customer passwords, educating consumers about phishing campaigns, and getting fraudulent URLs taken down through their ISPs. Intelligence allows retailers to be proactive.
If you haven’t started planning a cybersecurity strategy for the holidays, now is the time to do so. Threat activity increases considerably over the next couple of weeks. Planning now is the only way to avoid getting breached this holiday season.
Dov Lerner is a cyber intelligence researcher at Sixgill, an IoT sensor platform company, where he focuses on malware sold on the dark web.