Economics of Christmas: The Joy of Shopping
Retailers solicit most fervently on a handful of days throughout the year. Valentine’s Day, Mother’s Day, Independence Day, Back-to-School, and Halloween all bring in huge profits across industry, yet nothing quite compares to the most wonderful time of the year. Naturally, Thanksgiving Day to Cyber Monday are the biggest shopping days. However, December is expected to outperform November by almost $7 billion dollars. (Source: NRF). Research from the National Retail Federation on revenue distributed across holiday periods, highlights (on average from 2014 to 2017) a $470 billion dollar increase in sales during the winter holidays.
Three Levels of Targeting
With the holiday shopping season in full swing, retailers are in the throes of the most significant sales period of the year, but holiday cheer isn’t the only thing spreading far and wide; the holiday shopping season represents a range of cybersecurity risks to retailers, their supply chains, and their customers.
Retail is highly visible and heavily targeted, with over 100 of the Forbes top 2000 global organizations representing the industry (Source: Adobe Digital Insights). Retailers are often targeted by a wide range of tactics, techniques, and procedures (TTPs) including Card Not Present (CNP), gift card fraud, skimming, malware, account takeovers, and denial of service.
In 2014, we all watched the Target breach unfold before our eyes, and as the details of nearly 110 million customers were proliferated across the clear and dark web, a conversation about third-party vendor security also surfaced. Third-party relationships are a challenge to manage for all organizations, and security is even more complicated dynamic, where retailers are no exception. For Target, the compromise happened via stolen vendor credentials of Target’s heating and air conditioning contractor, but, for most retailers, their Point of Sale (PoS) software and devices will be the Achilles Heel that constitutes a third-party risk.
The holidays upon us and consumers are ready to shop. Confidence is near an all-time high, unemployment is the lowest we’ve seen in decades and take-home wages are up (Source: Deloitte). All of this is reflected in consumer buying statistics, but with increased spending, the holiday season becomes highly lucrative for cybercriminals as consumers have historically been the number one target.
Payment System Risks: Elves of Wall Street
Cybercriminals typically use one of two approaches for targeting their victims: Point of sale malware and physical skimming of sensitive information.
Point of Sale (POS) Malware
For cybercriminals looking to acquire payment card details, enhancing existing malware is a popular tactic to gain access point to retailers’ POS software. RawPOS and MajikPOS are two malware variants that emerged mid-2018. These variants attempt to brute-force Remote Desktop Protocol credentials in an effort to identify target POS systems; most successfully in the United States and Canada.
Similarly, Zeus trojan found across Russia and Kazakhstan for the first time in the summer of 2018 is a remotely executable modification used to search for and exfiltrate payment card data (Track 1 and Track 2) to its command and control (C2) server (Source: Kaspersky Labs).
While many malware variants are remotely executable, this type of operation often requires a partnership between remote cybercrime units and a Treasure Hunter network so that cashing out is possible.
ATM skimmers come in all shapes and sizes, and most include several components — such as a tiny spy cam hidden in a brochure rack, or a fraudulent PIN pad overlay. Although it’s not a new approach to harvesting payment card details, skimming continues to be a popular tactic (Source: Juniper Research).
Media attention to crimes involving ATM skimmers may make consumers more likely to identify compromised cash machines, which involve cleverly disguised theft devices that sometimes appear off-color or out-of-place. Yet, many of today’s skimmer scams can swipe your card details and personal identification number while leaving the ATM itself completely untouched, making them far more difficult to spot.
The emergence of chip technology has led to the development of new skimming techniques. It is now common practice to use overlays or custom devices that are mounted directly to existing card machines (8). Once a skimmer has been attached to a device, criminals that return to the scene risk being caught – to avoid detection, GSM receivers transmit personal information via Bluetooth, allowing the payment card information to be obtained from a distance.
Fraudulent Transactions: Nutcrcrackers’ Appetite for Tokens
A credit card or ATM machine is no longer the only point of vulnerability. Other types of transactions are targets for these cybercriminals.
Card Not Present (CNP) Fraud
With more than one-third of black-Friday purchasing happening online and a much larger percentage of holiday purchases as a whole happening over the web, CNP fraud is also growing. In 2017 British Retail Consortium estimated that more than half (approx. 53 percent) of retail fraud is “cyber-enabled” and losses totaled £100 million ($130 million) (Source: NRF). Some estimates reach as high as $70 billion dollars lost from the global economy by 2021 (Source: NRF).
Cybercriminals have adapted in numerous ways to avoid advances in anti-fraud and fraud detection capabilities. Known bad IP addresses and other malicious characteristics like hashes is a common way to identify potentially fraudulent transactions, thus cybercriminals use free web tools such as fraud[.]cat (Source: IEEE) to assess the reputation of an IP address before proceeding. Other tools, such as AntiDetect, help criminals maintain ambiguity and avoid e-fingerprinting.
Gift Card Fraud
Gift cards are an attractive form of fraud for cybercriminals as they facilitate the purchase of goods or movement of funds without the trail of card payments. Purchasing gift cards with stolen payment card details, buying unwanted cards off clear or dark web sites, or via token cracking are common means to obtain gift cards. Payment card details are widely available online; however, spending the stolen money without leaving a trace can prove difficult (Source: Distil Networks).
Gift cards can be quickly resold at a reduced price, erasing the trail of stolen money and rendering it “clean” typically anonymous and untraceable once stolen (Source: Distil Networks). Several sites also offer the opportunity to buy unwanted gift cards for a discounted price, or a sum that is very near the true value of the card, allowing the launder to clean their money via unwitting consumers.
Gift card fraud is an easy way to spend stolen funds without a trail, but automation removes the human element from the process. With token cracking, fraudsters use automation to test a rolling list of potential account numbers and requesting the balance (Source: Javelin Strategy). If the balance is provided, the bot operator knows that the account number exists and contains funds. Armed with that information, the account number can be used to purchase goods, or sold on the dark web for a fee.
Account Takeover: The Grinch Stole Your Identity
Of course, some of the simplest and most common attacks revolve around taking someone else’s identity.
Phishing emails look to lure customers into revealing their credentials for online retailers or online payment portals, often directing recipients to spoof domains containing log on forms. Fake HTTPS certificates are also widely available online and can make some of these spoof sites look legitimate, additionally, content sharing on criminal forums means staging a phishing site is a quick and inexpensive tactic (Source: Area1 / Gartner).
Cybercriminals can automatically inject compromised username and password pairs into login portals to fraudulently gain access to user accounts – this technique, known as credential stuffing (Source: Cyberint). This brute force attack harvests large data sets comprised of user name, passwords and automatically inserts them into login portals, when a match is found, the account can be exploited. SentryMBA, Vertex and Account Hitman are three of the most popular toolsets freely shared online (with more than 25 configuration options), although a wide range of tools exists (Source: Shape Security/Gartner).
Loss of Service in Retail: 600 Billion Dollar Day
One of the most popular means to facilitate extortion is through DDoS attacks. A distributed denial-of-service (DDoS) attack occurs when a system is targeted and brought offline, often the result of multiple compromised systems (for example, a botnet) flooding the targeted system with traffic.
The accessibility of off-the-shelf tools has lowered barriers to entry and actors have been encouraged by the increased media coverage. When executing a DDoS attack, threat actors set their sights on any organization that relies heavily on its website to generate revenue (Source: SquareSpace). This makes retailers ideal targets. Carefully orchestrated campaigns, such as the targeting of online florists around Valentine’s Day, or online retailers around Black Friday and Cyber Monday, allude to a more considered approach.
On October 4th, 2016, an actor by the name ‘vimproduct’ launched a DDoS attack against Squarespace, a company that hosts payment software for e-commerce sites globally, for an estimated $2,000,000 in (Bitcoin) cryptocurrency (Source: SquareSpace).
Cyberattacks are increasing in sophistication and magnitude of impact across all industries globally. While all organizations are potential targets of cyberattacks, the industries which possess the most valuable data are the biggest targets and retail is at the top of that list. There are numerous ways that retailers and consumers alike can disrupt and/or mitigate the activities of cyber-criminals (Source: Europol). Online spending is only going to continue to increase thus, criminals will continue to innovate in order to generate their own revenue, but following these simple steps can protect the retailer, their supply chain, and their customers from falling victim to cybercrime.
by Callie Guenther | CyberSOC Data Scientist, CRITICALSTART
December 18, 2018