The last 12 months have seen a boom in online shopping, as lockdowns across the United States forced people to forsake the mall and main street.
Unfortunately, the online shopping boom for retailers has also seen a corresponding rise in refund, carding, gift card fraud and other attack vectors conducted with a new level of professionalism and organizational skill. At the same time, retailers have been forced to extend their online services to a breaking point, while often involving third parties in their supply and logistics chains. To defend their ever-expanding security perimeters effectively, retailers must tighten up their frontline defenses against known incoming threats, while gathering threat intelligence on new varieties of incoming attacks.
Carding scams using stolen credit-card details are on the rise and retailers should ensure that purchasers are correctly identified through CVV, full address and other fields to weed out fraudsters, as genuine card details are widely available to criminals operating on dark web forums.
Skimming attacks are also used to steal payment card details from users on online retail websites. In September 2020, a massive Magecart payment-card skimming attack was exposed, hitting 2,800 online stores that used Magenta 1, which ceased being supported in June 2019. Security experts believe the attackers used a zero-day Magenta exploit that resulted in a remote code execution that had been purchased for $5,000 several weeks prior to the attack.
Companies should also discourage staff from using third-party platforms that have not been vetted by their own security teams. It was recently discovered that internal confidential information belonging to a leading retailer had been exposed after being uploaded to an employee’s GitHub repository. Highly sensitive information was unencrypted and available for download through a ZIP file that required no authentication. The package included files exposing lists of key employees of the organization and a database exposing storage procedure, enabling users to generate sales reports. Instruct staff, particularly those working from home, to avoid storing company information on platforms which have not been cleared for use internally.
Many threats are far from subtle. Automated attacks are increasingly used in brute force assaults designed to acquire the log-in details needed to access retailers’ customer and employee accounts. Make the first line of defense against automated attacks include constant monitoring to detect a large number of entry attempts coming from a single IP address. Retailers should constantly monitor their security perimeters for sudden and unanticipated spikes in activity.
Retailers must also be aware about a new generation of tools created to perform “low-and-slow” attacks designed to pass under the threshold of existing controls, disguising the number of sign-in attempts per IP address per minute. In a recent example, outdoor retail giant The North Face suffered a successful credential stuffing attack and had to reset the passwords for some of its customers.
While it’s important for retailers to guard against large-scale random attacks, it’s also vital that top staff who are active on social media or use personal email accounts are taught not to inadvertently release privileged information, such as the dates of an upcoming business trip. Bad actors can socially engineer this information to construct spear phishing attacks aimed at staff or whaling attacks designed to scam senior executives. Many retail staff members still frequently reveal personal or professional details on social media sites, such as Facebook or LinkedIn. Fraudsters are now becoming increasingly adept at harvesting the Facebook credentials of important staff.
Some retail staff also still use similar log-in details to access company details as those they have for their private social media accounts. This can cause major problems for retailers, particularly when social media sites gets breached, exposing personal data. This happened to LinkedIn in 2016. After such a breach, the harvested credentials often appear for sale on the dark web for months or even years afterwards.
At a time when many online retailers turn to third-party developers based in other geographies such as India or the Philippines for support, it’s also important that third parties working with the retailers are also made aware of “watering hole” attacks. In a watering hole attack, fraudsters gain access to a retailer’s finances or data by scamming someone working for a contractor or supplier that has been given access to sensitive information.
The past 12 months have seen the security perimeters of retailers expand well beyond the limits of their existing cyber defenses and highly-organized and increasingly professional networks have been swift to take advantage. Retailers must now become increasingly pro-active in identifying the rapidly evolving cyber scams now threatening their supply chains and distribution networks.
Yonatan Israel Garzon, threat intelligence team lead, Cyberint