6
www.intsights.com Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives
www.intsights.com
Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives
Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives
Introduction
The retail industry is experiencing more breaches than any other industry in 2019 as criminals consistently deploy new advanced hacking methods to target the vast assets and data retailers control.
E-commerce sales raked in $7.9 billion for retailers on Cyber Monday 2018, and this figure is likely to continue growing for years to come as consumers increasingly embrace the digital buying experience. As digital commerce becomes increasingly popular around the world, retailers spend millions on cutting-edge e-commerce platforms while neglecting to adequately invest in advanced security protocols. This trend makes retail one of the most vulnerable industries for cyberattacks.
This report addresses the top challenges and threats to the retail industry in 2019.
• Organized Retail Crime (ORC) tops our list of challenges this year. ORC includes fraud operations, card-not-present (CNP) transactions, and a growing “dark web” criminal underground where these organized crime operations are launched and maintained.
• The top network-based threats are addressed as they relate to point-of-sale (POS) malware, web application compromise, and ransomware.
• Inventory shrinkage and store-based theft continue to plague physical stores, and loss prevention employees strive to coordinate with cybersecurity teams to prevent theft, fraud, and physical attacks.
• The costs of compliance and the challenges retailers face when slapped with additional regulations and crippling fines continue to create significant problems.
Top Challenges and Threats
Organized Retail CrimeOrganized Retail Crime (ORC) costs retailers approximately $30 billion each year as cybercrime groups work tirelessly to steal credit card data and other valuable assets. Using stolen data, cybercriminals can acquire large lists of leaked credit card numbers and personal information on a host of black markets across the clear and dark web. While not all cards are active, these credit card dumps are inexpensive to acquire, and many hackers have tools that can check cards to see if they work. Once they obtain the card information, cybercriminals carry out fraud campaigns and make hundreds of illegal purchases before the banks take action to intervene.
CardingA survey of IntSights retail customers revealed that the biggest threat to their businesses this year is “carding” operations and “card-not-present” fraud. Carding is a form of credit card fraud in which a stolen credit card is used to charge prepaid cards. This represents the vast majority of the retail-related crime IntSights observes on the dark web. “Carders,” the criminals who monetize stolen credit cards, have automated the process of selling stolen goods. From the moment a carders obtain a stolen card, they are able to upload it to a website, which then anonymously sells it to their customers. Bitify is one example of a website that offers gift cards for popular retailers at steep discounts (Figure 1). Prices are shown in both US dollars and Bitcoin. IntSights analysts have observed most major retailers’ gift cards offered for sale on these types of marketplaces.
2
Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives
Customers can search for credit cards and gift cards by brand, country, bank number, and name. Most of the gift cards are offered at a discounted rate, making them a tempting alternative to full-price gift cards being sold in stores. This type of threat is costing retailers millions of dollars in lost revenue from both gift cards and the products they purchase.
Card-Not-Present FraudAccording to a Trustwave report, 77 percent of the data targeted in attacks on retail was card-not-present (CNP) data. CNP is a type of credit card scam in which the customer does not physically present the card to the merchant during the transaction. This type of fraud typically happens in online purchases. The rise of e-commerce has made these types of crimes much easier for criminals. In an effort to combat this type of crime, many online retailers have started to require the CVV code from the credit card.
Unfortunately, though, many stolen cards sold on the dark web include the CVV code. The cards on the marketplace with CVVs are worth more because they can be used to circumvent the minimal security protocols put in place by those e-retailers. Criminals often sell full profiles (“fullz”) on victims in order to help their customers take advantage of credit card security. The more criminals know about their victims, the easier it is for them to use victims’ cards. For example, if a retailer requires a customer to enter the zip code, CVV, and a PIN, and the criminal has that information on hand, it will be relatively easy to utilize the card without problems.
Network-Based Criminal ThreatsE-commerce has surged in popularity over the past decade, and online retailers are displacing traditional brick-and-mortar stores in the collective consumer consciousness. However, despite numerous technological advancements in e-commerce platforms and distribution networks, many retailers still lag behind in updating their legacy security systems. This leaves them and their customers vulnerable to attack. While banks and financial services organizations are frequently targeted by cybercriminals, hackers consider retailers to be easy targets for stealing credit card data due to the relative lack of security advancements in the industry. For an industry drowning in losses from fraud and crime, as well as compliance costs, network defense is just one more added cost. According to BDO’s 2019 Retail Rationalized Survey, only 53 percent of US retailers reported making significant investments in cybersecurity recently, and nearly 10 percent admitted to making no investment at all.
Figure 1: Screenshot of the carding store Bitify, which sells stolen gift cards to popular retailers
3
Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives
POS MalwareThe number of point-of-sale (POS) system incidents has decreased over the past year but remains a top cyber threat to retail companies. Despite improvements in securing POS systems with EMV chip technology, hackers target POS systems with malware because many retailers do not use end-to-end encryption (P2PE). POS malware is a generic term for the many memory-scraper trojans that are designed to scan for, grab, and exfiltrate bank card data from the point-of-sale machines that process it. Advanced cybercrime groups, such as FIN6, FIN7/Carbanak Group, and FIN8, have made millions of dollars by attacking retailers with POS malware, but it doesn’t require an advanced criminal to conduct such an attack. POS malware kits are out-of-the-box crimeware sold on the dark web, which make it easy for any novice criminal to siphon card data from POS systems.
Web Application VulnerabilitiesWeb applications deliver functionality using web protocols, such as http and https. Web app compromises pose the greatest rising threat to retailer networks. Verizon’s 2019 Data Breach Investigations Report found that out of 92 security incidents related to retail web app compromise, 88 of them resulted in a breach. The same report revealed that web app compromise increased from 5 percent of all breaches in 2014 to a staggering 63 percent in 2018. Criminals are finding great success and wealth in web applications through Account Takeovers (ATO), digital skimming, and code injection that steals card data. It is clear that Application Security (AppSec) is a vital part of any retail cybersecurity strategy.
Inventory Shrinkage and Loss PreventionIn the retail world, shrinkage is the term used to describe a reduction in inventory. The four main causes of shrinkage are employee theft, shoplifting, paperwork errors, and supplier fraud (think third-party risk). According to a 2018 National Retail Federation (NRF) study, inventory shrinkage costs US retailers more than $46.8 billion per year. In addition to the financial damages companies incur from retail theft, shoppers and employees are also placed in considerable danger as a result – 26.3 percent of workplace homicide victims work in sales or retail.
To combat theft, inventory shrinkage, and violence impacting consumers and workers alike, most large retailers have invested substantially in loss prevention initiatives. New facial recognition technology has proven extremely useful in
Figure 2: Screenshot of the homepage of a popular carding forum.
4
Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives
tracking repeat offender thieves, but it can be very expensive. Loss prevention employees often see repeat offenses and have valuable human intelligence to share. Loss prevention team members have valuable analytical insight into the crimes they investigate.
The NRF survey revealed that loss prevention employees believe they have something to contribute to cyber defense, and yet they feel as if they’re not as involved with their cyber teams as they should be. Organizations should train them in cybersecurity and partner them with the company’s information security team to help catch criminals.
The Cost of ComplianceAs cyber threats to the retail industry increase, governments are cracking down through more stringent compliance requirements. Many governments around the world have created new data protection standards and are enforcing them with crippling fines. The Payment Card Industry Data Security Standard (PCI DSS) is one such example, with 12 requirements based on six “control objectives,” which are as follows:
1. Build and Maintain a Secure Network and Systems2. Protect Cardholder Data3. Maintain a Vulnerability Management Program4. Implement Strong Access Control Measures5. Regularly Monitor and Test Networks6. Maintain an Information Security Policy
A more timely example is the General Data Protection Regulation (GDPR) implemented by the European Union last year. GDPR has raised the bar for security protocols for businesses operating in the European Union and imposes significant fines on those that fail to adequately protect their customers’ data. The most notable example of this was the British Airways data breach that occurred in 2018 and cost the company $230 million in fines related to GDPR violations. Today, 75 percent of US retailers believe a national data privacy regulation is coming soon. Smart retailers are preparing now for an inevitable GDPR equivalent in the US, but too many are standing still. More than 80 countries have enacted data privacy laws so far. Looking forward to 2020, several more national and US state governments are implementing GDPR-like compliance requirements that will affect the retail industry: the State of California, Brazil, Nigeria, Ecuador, Thailand, Pakistan, Kenya, and more. As the world grows increasingly digitized, governments are trying to catch up to criminals and implement basic security protocols. The retail industry has suffered from non-compliance penalties in the past and will need to prioritize these efforts in their respective countries to minimize financial damage.
5
Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives
Recommendations
Retailers face unique challenges today as their businesses become increasingly digital and their attack surfaces expand exponentially.
Here are the top solutions retailers can use to bolster their cybersecurity defenses:
1. Start by building a solid foundation. Migrate data to secure infrastructure. Encrypt point-of-sale and card systems and processors.
2. Monitor threats where the cybercriminals gather. External threat intelligence is a crucial component of an effective security strategy. There are countless forums, communities, and black markets across the clear, deep, and dark web where hackers gather to trade, communicate, and organize large-scale attacks against vulnerable organizations. The most effective way to mitigate a threat is to ensure it never develops into a full-blown attack. Automated external threat intelligence solutions give security teams the ability to identify and validate a threat targeting their organization and thwart it before it causes any damage.
3. Marry loss prevention with cybersecurity. Train your loss prevention employees and have them involved in feeding intelligence to the cyber protection teams. Don’t wait for the incident response phase of the intelligence cycle. Proactive defense and teamwork are critical in the retail industry.
4. The retail industry CANNOT afford to be non-compliant. Find out what compliance is required for your retail locations and ensure you have a team keeping up with this effort as laws change and digital threats evolve. Now is the time to launch this effort, not after a significant fine cripples your business.
About IntSightsIntSights is revolutionizing cybersecurity operations with the industry’s only all-in-one external threat protection platform designed to neutralize cyberattacks outside the wire. Our unique cyber reconnaissance capabilities enable continuous monitoring of an enterprise’s external digital profile across the clear, deep, and dark web to identify emerging threats and orchestrate proactive response. Tailored threat intelligence that seamlessly integrates with security infrastructure for dynamic defense has made IntSights one of the fastest-growing cybersecurity companies in the world. IntSights has offices in Amsterdam, Boston, Dallas, New York, Singapore, Tel Aviv, and Tokyo. To learn more, visit: intsights.com or connect with us on LinkedIn, Twitter, and Facebook.
To see the IntSights External Threat Protection Suite of solutions in action, schedule a demo today.
6
