Cyber(attack) Monday:

Hackers Target the

Retail Industry as
E-Commerce Thrives

www.intsights.com
 Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives

Introduction
The retail industry is experiencing more breaches than any other industry in 2019 as criminals consistently deploy new
advanced hacking methods to target the vast assets and data retailers control.

E-commerce sales raked in $7.9 billion for retailers on Cyber Monday 2018, and this figure is likely to continue
growing for years to come as consumers increasingly embrace the digital buying experience. As digital commerce
becomes increasingly popular around the world, retailers spend millions on cutting-edge e-commerce platforms while
neglecting to adequately invest in advanced security protocols. This trend makes retail one of the most vulnerable
industries for cyberattacks.

This report addresses the top challenges and threats to the retail industry in 2019.

• Organized Retail Crime (ORC) tops our list of challenges this year. ORC includes
fraud operations, card-not-present (CNP) transactions, and a growing “dark web”
criminal underground where these organized crime operations are launched and
maintained.
• The top network-based threats are addressed as they relate to point-of-sale
(POS) malware, web application compromise, and ransomware.
• Inventory shrinkage and store-based theft continue to plague physical stores,
and loss prevention employees strive to coordinate with cybersecurity teams to
prevent theft, fraud, and physical attacks.
• The costs of compliance and the challenges retailers face when slapped with
additional regulations and crippling fines continue to create significant problems.

Top Challenges and Threats

Organized Retail Crime

Organized Retail Crime (ORC) costs retailers approximately $30 billion each year as cybercrime groups work tirelessly
to steal credit card data and other valuable assets. Using stolen data, cybercriminals can acquire large lists of leaked
credit card numbers and personal information on a host of black markets across the clear and dark web. While not
all cards are active, these credit card dumps are inexpensive to acquire, and many hackers have tools that can check
cards to see if they work. Once they obtain the card information, cybercriminals carry out fraud campaigns and make
hundreds of illegal purchases before the banks take action to intervene.

Carding
A survey of IntSights retail customers revealed that the biggest threat to their businesses this year is “carding”
operations and “card-not-present” fraud. Carding is a form of credit card fraud in which a stolen credit card is used to
charge prepaid cards. This represents the vast majority of the retail-related crime IntSights observes on the dark web.
“Carders,” the criminals who monetize stolen credit cards, have automated the process of selling stolen goods. From
the moment a carders obtain a stolen card, they are able to upload it to a website, which then anonymously sells it to
their customers. Bitify is one example of a website that offers gift cards for popular retailers at steep discounts (Figure
1). Prices are shown in both US dollars and Bitcoin. IntSights analysts have observed most major retailers’ gift cards
offered for sale on these types of marketplaces.

2
 Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives

Figure 1: Screenshot of the carding store Bitify, which sells stolen gift cards to
popular retailers

Customers can search for credit cards and gift cards by brand, country, bank number, and name. Most of the gift
cards are offered at a discounted rate, making them a tempting alternative to full-price gift cards being sold in stores.
This type of threat is costing retailers millions of dollars in lost revenue from both gift cards and the products they
purchase.

Card-Not-Present Fraud
According to a Trustwave report, 77 percent of the data targeted in attacks on retail was card-not-present (CNP) data.
CNP is a type of credit card scam in which the customer does not physically present the card to the merchant during
the transaction. This type of fraud typically happens in online purchases. The rise of e-commerce has made these
types of crimes much easier for criminals. In an effort to combat this type of crime, many online retailers have started
to require the CVV code from the credit card.

Unfortunately, though, many stolen cards sold on the dark web include the CVV code. The cards on the marketplace
with CVVs are worth more because they can be used to circumvent the minimal security protocols put in place by those
e-retailers. Criminals often sell full profiles (“fullz”) on victims in order to help their customers take advantage of credit
card security. The more criminals know about their victims, the easier it is for them to use victims’ cards. For example,
if a retailer requires a customer to enter the zip code, CVV, and a PIN, and the criminal has that information on hand, it
will be relatively easy to utilize the card without problems.

Network-Based Criminal Threats

E-commerce has surged in popularity over the past decade, and online retailers are displacing traditional brick-and-
mortar stores in the collective consumer consciousness. However, despite numerous technological advancements
in e-commerce platforms and distribution networks, many retailers still lag behind in updating their legacy security
systems. This leaves them and their customers vulnerable to attack. While banks and financial services organizations
are frequently targeted by cybercriminals, hackers consider retailers to be easy targets for stealing credit card data
due to the relative lack of security advancements in the industry. For an industry drowning in losses from fraud and
crime, as well as compliance costs, network defense is just one more added cost. According to BDO’s 2019 Retail
Rationalized Survey, only 53 percent of US retailers reported making significant investments in cybersecurity recently,
and nearly 10 percent admitted to making no investment at all.

3
 Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives

Figure 2: Screenshot of the homepage of a popular carding forum.

POS Malware
The number of point-of-sale (POS) system incidents has decreased over the past year but
remains a top cyber threat to retail companies. Despite improvements in securing POS
systems with EMV chip technology, hackers target POS systems with malware because
many retailers do not use end-to-end encryption (P2PE). POS malware is a generic term for
the many memory-scraper trojans that are designed to scan for, grab, and exfiltrate bank
card data from the point-of-sale machines that process it. Advanced cybercrime groups, such
as FIN6, FIN7/Carbanak Group, and FIN8, have made millions of dollars by attacking retailers
with POS malware, but it doesn’t require an advanced criminal to conduct such an attack.
POS malware kits are out-of-the-box crimeware sold on the dark web, which make it easy for
any novice criminal to siphon card data from POS systems.

Web Application Vulnerabilities

Web applications deliver functionality using web protocols, such as http and https.
Web app compromises pose the greatest rising threat to retailer networks. Verizon’s
2019 Data Breach Investigations Report found that out of 92 security incidents related
to retail web app compromise, 88 of them resulted in a breach. The same report
revealed that web app compromise increased from 5 percent of all breaches in 2014 to
a staggering 63 percent in 2018. Criminals are finding great success and wealth in web
applications through Account Takeovers (ATO), digital skimming, and code injection that
steals card data. It is clear that Application Security (AppSec) is a vital part of any retail
cybersecurity strategy.

Inventory Shrinkage and Loss Prevention

In the retail world, shrinkage is the term used to describe a reduction in inventory. The four main causes of shrinkage
are employee theft, shoplifting, paperwork errors, and supplier fraud (think third-party risk). According to a 2018
National Retail Federation (NRF) study, inventory shrinkage costs US retailers more than $46.8 billion per year. In
addition to the financial damages companies incur from retail theft, shoppers and employees are also placed in
considerable danger as a result – 26.3 percent of workplace homicide victims work in sales or retail.

To combat theft, inventory shrinkage, and violence impacting consumers and workers alike, most large retailers have
invested substantially in loss prevention initiatives. New facial recognition technology has proven extremely useful in

4
 Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives

tracking repeat offender thieves, but it can be very expensive. Loss prevention employees often see repeat offenses
and have valuable human intelligence to share. Loss prevention team members have valuable analytical insight into
the crimes they investigate.

The NRF survey revealed that loss prevention employees believe they have something to contribute to cyber defense,
and yet they feel as if they’re not as involved with their cyber teams as they should be. Organizations should train
them in cybersecurity and partner them with the company’s information security team to help catch criminals.

The Cost of Compliance

As cyber threats to the retail industry increase, governments are cracking down through more stringent compliance
requirements. Many governments around the world have created new data protection standards and are enforcing
them with crippling fines. The Payment Card Industry Data Security Standard (PCI DSS) is one such example, with 12
requirements based on six “control objectives,” which are as follows:

1. Build and Maintain a Secure Network and Systems

2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy

A more timely example is the General Data Protection Regulation (GDPR) implemented by the European Union last
year. GDPR has raised the bar for security protocols for businesses operating in the European Union and imposes
significant fines on those that fail to adequately protect their customers’ data. The most notable example of this was
the British Airways data breach that occurred in 2018 and cost the company $230 million in fines related to GDPR
violations. Today, 75 percent of US retailers believe a national data privacy regulation is coming soon. Smart retailers
are preparing now for an inevitable GDPR equivalent in the US, but too many are standing still. More than 80 countries
have enacted data privacy laws so far. Looking forward to 2020, several more national and US state governments are
implementing GDPR-like compliance requirements that will affect the retail industry: the State of California, Brazil,
Nigeria, Ecuador, Thailand, Pakistan, Kenya, and more. As the world grows increasingly digitized, governments are
trying to catch up to criminals and implement basic security protocols. The retail industry has suffered from non-
compliance penalties in the past and will need to prioritize these efforts in their respective countries to minimize
financial damage.

5
 Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives

Recommendations

Retailers face unique challenges today as their businesses become increasingly digital and their attack surfaces expand
exponentially.

Here are the top solutions retailers can use to bolster their cybersecurity defenses:

1. Start by building a solid foundation. Migrate data to secure infrastructure. Encrypt point-
of-sale and card systems and processors.
2. Monitor threats where the cybercriminals gather. External threat intelligence is a crucial
component of an effective security strategy. There are countless forums, communities,
and black markets across the clear, deep, and dark web where hackers gather to trade,
communicate, and organize large-scale attacks against vulnerable organizations. The
most effective way to mitigate a threat is to ensure it never develops into a full-blown
attack. Automated external threat intelligence solutions give security teams the ability to
identify and validate a threat targeting their organization and thwart it before it causes
any damage.
3. Marry loss prevention with cybersecurity. Train your loss prevention employees and
have them involved in feeding intelligence to the cyber protection teams. Don’t wait for
the incident response phase of the intelligence cycle. Proactive defense and teamwork are
critical in the retail industry.
4. The retail industry CANNOT afford to be non-compliant. Find out what compliance is
required for your retail locations and ensure you have a team keeping up with this effort
as laws change and digital threats evolve. Now is the time to launch this effort, not after a
significant fine cripples your business.

About IntSights
IntSights is revolutionizing cybersecurity operations with the industry’s only all-in-one external threat protection
platform designed to neutralize cyberattacks outside the wire. Our unique cyber reconnaissance capabilities enable
continuous monitoring of an enterprise’s external digital profile across the clear, deep, and dark web to identify
emerging threats and orchestrate proactive response. Tailored threat intelligence that seamlessly integrates with
security infrastructure for dynamic defense has made IntSights one of the fastest-growing cybersecurity companies in
the world. IntSights has offices in Amsterdam, Boston, Dallas, New York, Singapore, Tel Aviv, and Tokyo. To learn more,
visit: intsights.com or connect with us on LinkedIn, Twitter, and Facebook.

To see the IntSights External Threat Protection Suite of solutions in action, schedule a demo today.

REQUEST A DEMO