IBM has issued a cybersecurity advisory warning about an attack method originally developed for defraud banks that now is being applied to the retail sector.
Limor Kessem, global executive security advisor for IBM Security, said the two-step IcedID Trojan attack is being employed by cybercriminals to steal credentials and payment card data from specific retailers. IBM also surmises that once that attack is successful, compromised websites are being incorporated into a larger botnet that is rented to other cybercriminals, he said.
IcedID was originally discovered by IBM in the fall of 2017. The purveyors of this malware attack are targeting corporate accounts that generate large volumes of transactions, which is why financial institutions were the primary target. But Kessem said that as financial institutions have become more adept at thwarting these type of attacks, cybercriminals are now attempting to leverage their investment in IcedID to target other vertical industry sectors.
According to IBM reports, IcedID differs from other Trojan attacks in that some cybercriminals are relying on a commercial inject panel, Yummba’s ATSEngine, to deliver the payload. ATSEngine employs its own an attack/injection server, rather than setting up a separate malware command-and-control (C&C) server. That approach allows a cybercriminal to orchestrate the injection process, update injections via the attack server, parse stolen data and manage fraudulent transactions.
Most of the attacks that rely of IcedID continues to be aimed at organizations located in North America. But IBM believes the cybercriminal organization launching these attacks is physically located in Eastern Europe. To make it easier to combat this specific threat, IBM—via the X-Force Exchange community it oversees—has comprised a list of indicators that make it easier for cybersecurity teams to determine if their organization has been compromised by an IcedID Trojan.
Many retailers don’t have access to the same level of cybersecurity resources and expertise as financial services firms. Cybercriminals focus on financial services firms because, as the bank robber Willie Sutton once infamously noted, that’s where the money is. But in the age of e-commerce, many retailers are now engaged in large business-to-business (B2B) transactions that also provide a tempting target for cybercriminals.
Unfortunately, despite increased awareness of potential threats, a report published last Fall by SecurityScorecard found retailers were falling farther behind last year than in previous years. According to the report, which was based on an analysis of 1,444 domains in the retail industry with digital footprints of 100 or more IP addresses, the retail sector scored second to last of all the vertical industries tracked. SecuriityScorecard continuously tracks cybersecurity events impacting more than 200,000 businesses around the globe.
Despite the existence of the Payment Card Industry Data Security Standard (PCI DSS), it’s clear there’s much room for cybersecurity improvement in the retail sector. The only thing not quite apparent the degree to which those cybersecurity shortcomings will impact revenues once customers start preferring to do business with retailers that have made a demonstrable effort to protect their data and credentials.