‘Tis the Season for Cybercriminals: Retail’s Top Cyber Threats

November 25, 2020 • Charity Wright

With the holiday shopping season in full swing, financially motivated cybercriminals are on the prowl, scouting and preparing their best tools to attack e-commerce sites and vulnerable systems. Experts predict that online sales will increase by up to 40% over last year at this time due to various factors such as COVID-19 lockdowns, quarantines, panic buying, and brick-and-mortar store closures.

The top threats to retail and e-commerce this holiday season include web application compromise, cloud storage compromise, compromised payment credentials, and other forms of retail fraud. Here’s what retail executives and security teams should be looking out for and what they can do to thwart these threats.

Web Application Compromise

Web application compromises involve a variety of exploits directed at web applications (for example, content management systems) and e-commerce platforms. Criminal hackers use techniques such as SQL injection, cross-site scripting, and account takeover attacks to gain access to payment data and other personal information submitted on payment sites. Because e-commerce platforms are notorious for being vulnerable gateways to a retail organization’s most valuable data, organizations should focus on protecting these assets from exploitation by criminals.

This year, we have observed an increase in account takeover attacks through a technique called credential stuffing. In a credential stuffing attack, the threat actor gathers login credentials from previous breaches and uses them for unauthorized access to web applications and accounts. In August 2020, the FBI released a Private Industry Notification (PIN) detailing the increase in credential stuffing attacks against the financial industry, to include technologies in the retail industry. Cybercriminals easily find these credentials for sale, or for free, on dark web markets and databases. Figure 1 below shows the process that criminals go through during these types of attacks.

SFX File Loading Process

Figure 1: Credential stuffing attack process (Source: NCIJTF)

Protect Your Organization From Web Application Compromises

There are dozens of attack methods under the umbrella of web application compromise. OWASP has provided a comprehensive guide to defending against these common threats. We recommend starting with the defense implementations that protect against the most common web app attacks:

  1. Preventing injection attacks requires keeping data separate from commands and queries. Use prepared statements with parameterized queries, use stored procedures, whitelist input validation, and escape all user-supplied input.
  2. Migrate to modern frameworks to prevent cross-site scripting attacks. AngularJS, React JS, and Ruby on Rails are some good examples. These frameworks can automatically escape user input and help mitigate cross-site scripting attacks by design.
  3. Prevent account takeover attacks and credential stuffing by monitoring deep and dark web sources for leaked company and customer credentials. Your intelligence provider should alert you on leaked credentials from third party breaches, marketplaces, auctions, and forums, and offer to purchase those from the threat actors to prevent further misuse in credential stuffing attacks.

Cloud Storage Compromise

Cloud infrastructure misconfiguration represents the biggest threat to enterprise cloud security, but it is preventable. The configuration of cloud infrastructure is complex, and if done improperly, a threat actor will be able to compromise the infrastructure despite security tools set up to prevent such an attack. According to IBM, records exposed due to misconfigured servers accounted for 86% of the records compromised in 2019, and that number has increased dramatically in 2020. When outsourcing data to a third-party cloud service, it is imperative that the retailer itself take responsibility for securing that data.

Protect Your Organization From Cloud Storage Compromise

Under the Shared Responsibility Model, the cloud service provider is responsible for “security of the cloud”, which includes the hardware, software, networking, and facilities that run the cloud services. Customers are responsible for “security in the cloud”, which includes how they configure and use the resources provided by the cloud service provider. Because human error still accounts for the majority of cloud infrastructure misconfigurations, it is important to set up a system of accountability and inspections to ensure that your architects and developers understand how to secure the cloud from the moment they begin developing it.

Magecart and Payment Card Sniffers

“Magecart” is an umbrella term used to describe threat actor groups who harvest compromised payment credentials from websites with malicious javascript (JS) injection. In August 2020, Insikt Group reported on this technique being one of the most prolific threats to retail this year, and the Magecart victim list continues to grow. In September 2020, nearly 2,000 e-commerce sites and tens of thousands of customers were affected by a Magecart breach, which may have resulted from a zero-day exploit sold in August in an underground forum. Magecart attacks have steadily increased throughout the year, despite law enforcement efforts to stop these criminal actors and groups. This is an attack method that security teams will want to keep a close eye on through security intelligence and proactive defense of web applications and brand monitoring in criminal underground sources.

SFX File Loading Process

Figure 2: Magecart attacks in H1 2020 (Source: Recorded Future)

Protect Your Organization From Magecart and Payment Card Sniffers

Magecart attacks are extremely difficult to detect because none of the attack code or exfiltration commands actually pass through your network. Traditional security tools such as the web application firewall (WAF) are useless in detecting and defending against browser-based attacks like Magecart.

The best defense against web skimming attacks is a zero-trust approach. Prevent all JavaScript from unauthorized access of sensitive data through the following recommendations from Forrester:

  1. Regularly analyze your own website scripts throughout the development lifecycle.
  2. Implement client-side protections such as anti-skimming and malware protection.
  3. Deploy bot management solutions to detect and defend against botnets that result from browser-based attacks.

Retail Fraud

Retail fraud is one of the simplest forms of retail attacks, is easily accessible to novice cybercriminals, and is one of the biggest nuisances to e-commerce and retail organizations. According to the National Retail Security Survey 2020, theft, fraud and losses from other retail “shrink” totaled $61.7 billion in 2019, up from $50.6 billion the year before. Based on cyberattacks observed this year, those numbers are continually increasing and warrant a closer look at the most prevalent forms of cyber retail fraud.

Card-not-present (CNP) attacks top the list of retail fraud techniques going into the 2020 holiday shopping season. CNP is the use of stolen gift cards and credit cards to pay for merchandise in digital payment systems. This type of fraud robs the company twice. First, the merchandise is shipped to the criminal via mail, and second, the cardholder will dispute it with the bank and the business will have to refund the cost. This type of fraud is usually conducted by sophisticated, organized criminal groups that work to perfect their techniques, circumvent security defenses, and maximize their profits. In order to counter this type of activity, it is important to have access to intelligence about these criminal groups, what they are planning, and what organizations they plan to target.

Business email compromise (BEC) and account takeover are prominent cyberattack methods that are impacting the retail industry right now. According to a report by RH-ISAC, threat actors are staging very convincing spearphishing campaigns to trick retail and e-commerce employees into downloading malware, which then leads to the takeover and unauthorized access to sensitive databases of employee and customer information. BEC actors target employees in HR or bookkeeping to obtain personally identifiable information (PII) or tax statements of employees and executives. Threat actors then use that stolen information to take over accounts and conduct theft and fraud. Some of the most common phishing schemes observed this year include CEO impersonation, bogus billing invoices, and attorney impersonations.

Protect Your Organization Against Retail Fraud

Most fraud these days is staged in criminal underground forums, including on the dark web. Your intelligence vendor should have access to these forums and be proactively alerting on known fraud and threats targeting your organization. Recorded Future’s Insikt Group specializes in monitoring these sources for mentions of customers and assets and recommends the following actions to stop fraud before it starts:

  1. Proactively purchase PII and payment card data that is stolen and offered for sale on underground markets, forums, and auctions. By obtaining that data, you can reset the account or card and prevent further theft. The small price for these records can save your organization millions of dollars over the long run.
  2. Monitor open sources for mentions of your organization as it relates to gift cards, carding operations, and resale of company gift cards. Threat actors often chat in public spaces about their new tactics, techniques, and procedures. They post tutorial videos on YouTube and other video platforms where other fraudsters convene to find information on the newest methods.
  3. Utilize cybercrime intelligence to monitor known threat groups and actors around the world that conduct this type of activity. Some geographic regions like Southeast Asia and Latin America have less stringent guidelines on data compliance, and threat actors in those area have sophisticated fraud operations that target retailers globally. Know their plans and implement defense before the attack hits.

5 Security Actions to Defend Against Cyberattacks This Holiday Season and Beyond

Other than the specific mitigations outlined in each section above, there are some general steps that all organizations can take to reduce risk this holiday season:

  1. Detect, monitor, and remediate stolen credit cards and credentials from the criminal underground (including the dark web). Proactively retrieve this data, determine which customer or employee it belongs to, reset accounts or cards before the criminals use it.
  2. Use vulnerability intelligence to prioritize patching vulnerable technologies in your tech stack. Knowing what technologies the criminals are targeting before they act will enable your security team to protect your web and mobile apps.
  3. Review your organization’s password policy to ensure that employees cannot reuse the same password across multiple accounts. Authorize the use of a trusted, secure password locker technology to safely generate and store complex passwords at work.
  4. Prevent any non-essential externally loaded scripts from loading on checkout pages.
  5. Evaluate how third-party plugins use their code, servers, and external communications on your e-commerce website, and monitor for any changes in their code or behavior.

New call-to-action