Professional Documents
Culture Documents
Cyber Attack Monday
Cyber Attack Monday
www.intsights.com
Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives
Introduction
The retail industry is experiencing more breaches than any other industry in 2019 as criminals consistently deploy new
advanced hacking methods to target the vast assets and data retailers control.
E-commerce sales raked in $7.9 billion for retailers on Cyber Monday 2018, and this figure is likely to continue
growing for years to come as consumers increasingly embrace the digital buying experience. As digital commerce
becomes increasingly popular around the world, retailers spend millions on cutting-edge e-commerce platforms while
neglecting to adequately invest in advanced security protocols. This trend makes retail one of the most vulnerable
industries for cyberattacks.
This report addresses the top challenges and threats to the retail industry in 2019.
• Organized Retail Crime (ORC) tops our list of challenges this year. ORC includes
fraud operations, card-not-present (CNP) transactions, and a growing “dark web”
criminal underground where these organized crime operations are launched and
maintained.
• The top network-based threats are addressed as they relate to point-of-sale
(POS) malware, web application compromise, and ransomware.
• Inventory shrinkage and store-based theft continue to plague physical stores,
and loss prevention employees strive to coordinate with cybersecurity teams to
prevent theft, fraud, and physical attacks.
• The costs of compliance and the challenges retailers face when slapped with
additional regulations and crippling fines continue to create significant problems.
Carding
A survey of IntSights retail customers revealed that the biggest threat to their businesses this year is “carding”
operations and “card-not-present” fraud. Carding is a form of credit card fraud in which a stolen credit card is used to
charge prepaid cards. This represents the vast majority of the retail-related crime IntSights observes on the dark web.
“Carders,” the criminals who monetize stolen credit cards, have automated the process of selling stolen goods. From
the moment a carders obtain a stolen card, they are able to upload it to a website, which then anonymously sells it to
their customers. Bitify is one example of a website that offers gift cards for popular retailers at steep discounts (Figure
1). Prices are shown in both US dollars and Bitcoin. IntSights analysts have observed most major retailers’ gift cards
offered for sale on these types of marketplaces.
2
Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives
Figure 1: Screenshot of the carding store Bitify, which sells stolen gift cards to
popular retailers
Customers can search for credit cards and gift cards by brand, country, bank number, and name. Most of the gift
cards are offered at a discounted rate, making them a tempting alternative to full-price gift cards being sold in stores.
This type of threat is costing retailers millions of dollars in lost revenue from both gift cards and the products they
purchase.
Card-Not-Present Fraud
According to a Trustwave report, 77 percent of the data targeted in attacks on retail was card-not-present (CNP) data.
CNP is a type of credit card scam in which the customer does not physically present the card to the merchant during
the transaction. This type of fraud typically happens in online purchases. The rise of e-commerce has made these
types of crimes much easier for criminals. In an effort to combat this type of crime, many online retailers have started
to require the CVV code from the credit card.
Unfortunately, though, many stolen cards sold on the dark web include the CVV code. The cards on the marketplace
with CVVs are worth more because they can be used to circumvent the minimal security protocols put in place by those
e-retailers. Criminals often sell full profiles (“fullz”) on victims in order to help their customers take advantage of credit
card security. The more criminals know about their victims, the easier it is for them to use victims’ cards. For example,
if a retailer requires a customer to enter the zip code, CVV, and a PIN, and the criminal has that information on hand, it
will be relatively easy to utilize the card without problems.
3
Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives
POS Malware
The number of point-of-sale (POS) system incidents has decreased over the past year but
remains a top cyber threat to retail companies. Despite improvements in securing POS
systems with EMV chip technology, hackers target POS systems with malware because
many retailers do not use end-to-end encryption (P2PE). POS malware is a generic term for
the many memory-scraper trojans that are designed to scan for, grab, and exfiltrate bank
card data from the point-of-sale machines that process it. Advanced cybercrime groups, such
as FIN6, FIN7/Carbanak Group, and FIN8, have made millions of dollars by attacking retailers
with POS malware, but it doesn’t require an advanced criminal to conduct such an attack.
POS malware kits are out-of-the-box crimeware sold on the dark web, which make it easy for
any novice criminal to siphon card data from POS systems.
To combat theft, inventory shrinkage, and violence impacting consumers and workers alike, most large retailers have
invested substantially in loss prevention initiatives. New facial recognition technology has proven extremely useful in
4
Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives
tracking repeat offender thieves, but it can be very expensive. Loss prevention employees often see repeat offenses
and have valuable human intelligence to share. Loss prevention team members have valuable analytical insight into
the crimes they investigate.
The NRF survey revealed that loss prevention employees believe they have something to contribute to cyber defense,
and yet they feel as if they’re not as involved with their cyber teams as they should be. Organizations should train
them in cybersecurity and partner them with the company’s information security team to help catch criminals.
A more timely example is the General Data Protection Regulation (GDPR) implemented by the European Union last
year. GDPR has raised the bar for security protocols for businesses operating in the European Union and imposes
significant fines on those that fail to adequately protect their customers’ data. The most notable example of this was
the British Airways data breach that occurred in 2018 and cost the company $230 million in fines related to GDPR
violations. Today, 75 percent of US retailers believe a national data privacy regulation is coming soon. Smart retailers
are preparing now for an inevitable GDPR equivalent in the US, but too many are standing still. More than 80 countries
have enacted data privacy laws so far. Looking forward to 2020, several more national and US state governments are
implementing GDPR-like compliance requirements that will affect the retail industry: the State of California, Brazil,
Nigeria, Ecuador, Thailand, Pakistan, Kenya, and more. As the world grows increasingly digitized, governments are
trying to catch up to criminals and implement basic security protocols. The retail industry has suffered from non-
compliance penalties in the past and will need to prioritize these efforts in their respective countries to minimize
financial damage.
5
Cyber(attack) Monday: Hackers Target the Retail Industry as E-Commerce Thrives
Recommendations
Retailers face unique challenges today as their businesses become increasingly digital and their attack surfaces expand
exponentially.
Here are the top solutions retailers can use to bolster their cybersecurity defenses:
1. Start by building a solid foundation. Migrate data to secure infrastructure. Encrypt point-
of-sale and card systems and processors.
2. Monitor threats where the cybercriminals gather. External threat intelligence is a crucial
component of an effective security strategy. There are countless forums, communities,
and black markets across the clear, deep, and dark web where hackers gather to trade,
communicate, and organize large-scale attacks against vulnerable organizations. The
most effective way to mitigate a threat is to ensure it never develops into a full-blown
attack. Automated external threat intelligence solutions give security teams the ability to
identify and validate a threat targeting their organization and thwart it before it causes
any damage.
3. Marry loss prevention with cybersecurity. Train your loss prevention employees and
have them involved in feeding intelligence to the cyber protection teams. Don’t wait for
the incident response phase of the intelligence cycle. Proactive defense and teamwork are
critical in the retail industry.
4. The retail industry CANNOT afford to be non-compliant. Find out what compliance is
required for your retail locations and ensure you have a team keeping up with this effort
as laws change and digital threats evolve. Now is the time to launch this effort, not after a
significant fine cripples your business.
About IntSights
IntSights is revolutionizing cybersecurity operations with the industry’s only all-in-one external threat protection
platform designed to neutralize cyberattacks outside the wire. Our unique cyber reconnaissance capabilities enable
continuous monitoring of an enterprise’s external digital profile across the clear, deep, and dark web to identify
emerging threats and orchestrate proactive response. Tailored threat intelligence that seamlessly integrates with
security infrastructure for dynamic defense has made IntSights one of the fastest-growing cybersecurity companies in
the world. IntSights has offices in Amsterdam, Boston, Dallas, New York, Singapore, Tel Aviv, and Tokyo. To learn more,
visit: intsights.com or connect with us on LinkedIn, Twitter, and Facebook.
To see the IntSights External Threat Protection Suite of solutions in action, schedule a demo today.
REQUEST A DEMO