Naughty or Nice: Cybercriminals’ Latest Targeting Strategies During the Holiday Season

Naughty or Nice: Cybercriminals’ Latest Targeting Strategies During the Holiday Season

(Please note: You should always proceed with caution before clicking on a link that you are not familiar with. We sometimes link to third-party sources as a point of reference – some of those links could contain malicious content.)

Economics of Christmas: The Joy of Shopping

Retailers solicit most fervently on a handful of days throughout the year. Valentine’s Day, Mother’s Day, Independence Day, Back-to-School, and Halloween all bring in huge profits across industry, yet nothing quite compares to the most wonderful time of they year. Naturally, Thanksgiving Day to Cyber Monday are the biggest shopping days. However, December is expected to outperform November by almost $7 billion dollars. (Source: NRF). Research from the National Retail Federation on revenue distributed across holiday periods, highlights (on average from 2014 to 2017) a $470 billion dollar increase in sales during the winter holidays.

2018 has certainly been no exception, with an average expenditure of $1007.24, according to RetailMeNot, which is a 4.1% increase over 2017; and this number still climbing (Source: NRF).

Three Levels of Targeting

With the holiday shopping season in full-swing, retailers are in the throes of the most significant sales period of the year, but holiday cheer isn’t the only thing spreading far and wide; the holiday shopping season represents a range of cybersecurity risks to retailers, their supply chains, and their customers.

Retailers

Retail is highly visible and heavily targeted, with over 100 of the Forbes top 2000 global organizations representing the industry (Source: Adobe Digital Insights). Retailers are often targeted by a wide range of tactics, techniques and procedures (TTPs) including Card Not Present (CNP), gift card fraud, skimming, malware, account takeovers, and denial of service.

Supply Chain

In 2014, we all watched the Target breach unfold before our eyes, and as the details of nearly 110 million customers were proliferated across the clear and dark web, a conversation about third party vendor security also surfaced. Third party relationships are a challenge to manage for all organizations, and security is even more complicated dynamic, where retailers are no exception. For Target, the compromise happened via stolen vendor credentials of Target’s heating and air conditioning contractor, but, for most retailers, their Point of Sale (PoS) software and devices will be the Achilles Heel that constitutes a third-party risk.

Consumers

The holidays upon us and consumers are ready to shop. Confidence is near an all-time high, unemployment is the lowest we’ve seen in decades and take-home wages are up (Source: Deloitte). All of this is reflected in consumer buying statistics, but with increased spending, the holiday season becomes highly lucrative for cybercriminals as consumers have historically been the number one target.

Payment System Risks: Elves of Wall Street

Cybercriminals typically use one of two approaches for targeting their victims: Point of sale malware and physical skimming of sensitive information.

Point of Sale (POS) Malware

For cybercriminals looking to acquire payment card details, enhancing existing malware is a popular tactic to gain access point to retailers’ POS software. RawPOS and MajikPOS are two malware variants that emerged mid-2018. These variants attempt to brute-force Remote Desktop Protocol credentials in an effort to identify target POS systems; most successfully in the United States and Canada.

Similarly, Zeus trojan found across Russia and Kazakhstan for the first time in the summer of 2018 is a remotely executable modification used to search for and exfiltrate payment card data (Track 1 and Track 2) to its command and control (C2) server (Source: Kaspersky Labs).

While many malware variants are remotely executable, this type of operation often requires a partnership between remote cybercrime units and a Treasure Hunter network so that cashing out is possible.

Physical Skimming

ATM skimmers come in all shapes and sizes, and most include several components — such as a tiny spy cam hidden in a brochure rack, or fraudulent PIN pad overlay. Although it’s not a new approach to harvesting payment card details, skimming continues to be a popular tactic (Source: Juniper Research).

Media attention to crimes involving ATM skimmers may make consumers more likely to identify compromised cash machines, which involve cleverly disguised theft devices that sometimes appear off-color or out-of-place. Yet, many of today’s skimmer scams can swipe your card details and personal identification number while leaving the ATM itself completely untouched, making them far more difficult to spot.

The emergence of chip technology has led to the development of new skimming techniques. It is now common practice to use overlays or custom devices that are mounted directly to existing card machines (8). Once a skimmer has been attached to a device, criminals that return to the scene risk being caught – to avoid detection, GSM receivers transmit personal information via Bluetooth, allowing payment card information to be obtained from a distance.

Fraudulent Transactions: Nutcrackers’ Appetite for Tokens

A credit card or ATM machine is no longer the only point of vulnerability. Other types of transactions are targets for these cybercriminals.

Card Not Present (CNP) Fraud

With more than one-third of black-Friday purchasing happening online, and a much larger percentage of holiday purchases as a whole happening over the web, CNP fraud is also growing. In 2017 British Retail Consortium estimated that more than half (approx. 53 percent) of retail fraud is “cyber-enabled” and losses totaled £100 million ($130 million) (Source: NRF). Some estimates reach as high as $70 billion dollars lost from the global economy by 2021 (Source: NRF).

Cybercriminals have adapted in numerous ways to avoid the advances in anti-fraud and fraud detection capabilities. Known bad IP addresses and other malicious characteristics like hashes is a common way to identify potentially fraudulent transactions, thus cybercriminals use free web tools such as fraud[.]cat (Source: IEEE) to assess the reputation of an IP address before proceeding. Other tools, such as AntiDetect, help criminals maintain ambiguity and avoid e-fingerprinting.

Gift Card Fraud

Gift cards are an attractive form of fraud for cybercriminals as they facilitate the purchase of good or movement of funds without the trail of card payments. Purchasing gift cards with stolen payment card details, buying unwanted cards off clear or dark web sites, or via token cracking are common means to obtain gift cards. Payment card details are widely available online, however spending the stolen money without leaving a trace can prove difficult (Source: Distil Networks).

Gift cards can be quickly resold at a reduced price, erasing the trail of stolen money and rendering it “clean” typically anonymous and untraceable once stolen (Source: Distil Networks). Several sites also offer the opportunity to buy unwanted gift cards for a discounted price, or a sum that is very near the true value of the card, allowing the launder to clean their money via unwitting consumers.

Gift card fraud is an easy way to spend stolen funds without a trail, but automation removes the human element from the process. With token cracking, fraudsters use automation to test a rolling list of potential account numbers and requesting the balance (Source: Javelin Strategy). If the balance is provided, the bot operator knows that the account number exists and contains funds. Armed with that information, the account number can be used to purchase goods, or sold on the darkweb for a fee.

Account Takeover: The Grinch Stole Your Identity

Of course, some of the simplest and most common attacks revolve around taking someone else’s identity.

Phishing

Phishing emails look to lure customers into revealing their credentials for online retailers or online payment portals, often directing recipients to spoof domains containing log on forms. Fake HTTPS certificates are also widely available online and can make some of these spoof sites look legitimate, additionally, content sharing on criminal forums means staging a phishing site is a quick and inexpensive tactic (Source: Area1 / Gartner).

Credential Stuffing

Cybercriminals can automatically inject compromised username and password pairs into login portals to fraudulently gain access to user accounts – this technique, known as credential stuffing (Source: Cyberint). This brute force attack harvests large data sets comprised of user name, passwords and automatically inserts them into login portals, when a match is found, the account can be exploited. SentryMBA, Vertex and Account Hitman are three of the most popular toolsets freely shared online (with more than 25 configuration options), although a wide range of tools exist (Source: Shape Security/Gartner).

Loss of Service in Retail: 600 Billion Dollar Day

One of the most popular means to facilitate extortion is through DDoS attacks. A distributed denial-of-service (DDoS) attack occurs when a system is targeted and brought offline, often the result of multiple compromised systems (for example, a botnet) flooding the targeted system with traffic.

The accessibility of off-the-shelf tools has lowered barriers to entry and actors have been encouraged by the increased media coverage. When executing a DDoS attack, threat actors set their sights on any organization that relies heavily on its website to generate revenue (Source: SquareSpace). This makes retailers ideal targets. Carefully orchestrated campaigns, such as the targeting of online florists around Valentine’s Day, or online retailers around Black Friday and Cyber Monday, allude to a more considered approach.

On October 4th 2016, an actor by the name ‘vimproduct’ launched a DDoS attack against Squarespace, a company that hosts payment software for e-commerce sites globally, for and estimated $2,000,000 in (Bitcoin) cryptocurrency (Source: SquareSpace).

Remediation

Cyberattacks are increasing in sophistication and magnitude of impact across all industries globally. While all organizations are potential targets of cyberattacks, the industries which possess the most valuable data are the biggest targets and retail is at the top of that list. There are numerous ways that retailers and consumers alike can disrupt and/or mitigate the activities of cybercriminals (Source: Europol). Online spending is only going to continue to increase thus, criminals will continue to innovate in order to generate their own revenue, but following these simple steps can protect the retailer, their supply chain, and their customers from falling victim to cybercrime.