Eric Ford, Sr. Threat Intelligence Analyst 
While retailers prepare for the swell of holiday shopping, both in stores and online, perhaps no one has been more busy preparing than their infosecurity teams. Anyone charged with detecting suspicious activity across the retail environment – such as payment processing, POS systems, and e-commerce sites – during the holidays knows hackers are just as excited about Black Friday and Cyber Monday as anyone, if not more. In fact, in 2021, the number of overall cyber attacks during November and December jumped 10% while the number of malware attacks spiked 300 percent.
Leading up to the most wonderful time of the year, SecOps teams across the retail industry must be particularly vigilant and monitor their environments 24/7 during this heightened threat period. These are four of the most damaging attacks security teams should look for to reduce risks to retailers, manufacturers, payment processors, and pure ecommerce plays.
Credit Card Skimming
Credit card skimmers, both physical and virtual ones have become more sophisticated and difficult to detect. Skimming occurs when devices illegally installed on ATMs, point-of-sale (POS) terminals, or fuel pumps capture data or record cardholders’ PINs. Online skimmers target shoppers with fake websites or pages to skim payment data during Card-Not-Present (CNP) transactions from e-commerce sites. Skimmer code may also be maliciously added to a checkout page, redirecting data to threat actors.
To be successful, online card skimmers must direct victims away from legitimate transactions to pages that collect credit card data or account credentials. In other cases, skimmer malware targets the payment application infrastructure supplied by third party service providers to ecommerce sites.
Key Recommendation:
Routine web application scanning of both internal and external code will help identify any malicious scripts and hardening against XSS. Note that traditional VM scanning does not typically find these types of compromises. Check current source code against known good versions.
POS Malware
The complex connections between a consumer’s credit card swipe and a host of third party validators, payment processors, banks and sellers is a target-rich environment for malware. Consumers expect transactions to be completed in seconds, therefore milliseconds are at stake for validation processes.
One of the largest holiday breaches in history occurred when Target was hit with malware in 2013, exposing over 40 million credit cards and details of 70 million customers. The breach resulted in a $14.5 million fine for Target, and ushered in chip technology over magnetic stripes.
POS Malware is less effective today due to the protection mechanisms embedded in modern credit card processing systems in most countries. Threat actors in the carding industry are more likely switching to JavaScript sniffers to collect card data from eCommerce websites. The U.S. still allows use of magstripe payment processing however, making it a rich target.
Last month a Deepwatch Adversary Tactics and Intelligence (ATI) group Cyber Intel Brief reported on a 2022 POS Malware campaign that stole credit card details of over 161,000 credit cards. The October report cites research on a campaign using MajikPOS, malware first identified in 2017, and Treasure Hunter, a new malware strain, to steal credit card magstripe data.
Key Recommendation:
Ensure that VPN and RDP ports for POS devices are appropriately secured. Regularly scan systems for vulnerabilities and patch systems as soon as possible. Prioritization should be placed on internet-exposed systems with a focus on known vulnerabilities like those featured in CISA’s Known Exploited Vulnerabilities Catalog. Implement advanced endpoint solutions to help detect enterprise POS breaches early.
Bots that Shop
One bot study of more than 200 million website visits warns retailers to expect over 45 million fake shoppers to flood website traffic on Black Friday. Sophisticated bots now scoop up inventory at the expense of real customers in an effort to sell items at a profit through the multi-billion dollar resale market.
Sneakerheads and Playstation 5 shoppers know too well how effective bots are, often pushing prices up 100% over retail. Last year during Black Friday, Walmart claimed to have blocked more than 20 million bot attempts to place Playstation 5 orders in the first 30 minutes of sales.
Bots can also be used to quickly open millions of fake accounts, a process that has impacted payment networks such as PayPal and Cash App. Bots have also been used maliciously by competitors through cart stuffing, a process by which automation tools are used to hold products in shopping carts to negatively impact inventory counts.
Key Recommendation:
Look for a spike in login failures that could signal credential stuffing or indicate cracking bots trying to take over existing customer accounts. Be aware of any unusual spikes in account creation over a short period. Monitor web traffic coming from outside your typical delivery areas or regions. Look for dramatic increases in shopping cart abandonment that may signal denial of inventory bots. To be most effective, implement human verification processes to prevent bot buying.
Ransomware
Ransomware exploitation continues through well-crafted spear phishing campaigns, unsecured remote access software and appliances, overprivileged identities, or unpatched software. This kind of attack during the holiday season when security teams are away can be devastating.
Key Recommendation:
Initial infection vectors are vulnerability exploitation, poorly configured apps, phishing, exposed RDP, or compromised credentials. Review admin privileges and ensure zero trust and 2FA. You should also probably review your ransomware disaster recovery plan and physically test backups.
Conclusion: Rising Risk and Competition
With roughly $20 billion in sales at stake between Black Friday and Cyber Monday, retailers and ecommerce sites compete for a rush of shoppers. More than ever, they must also compete with or defend from cybercriminals. Make it your team’s goal to capture as much detail as possible on this year’s SecOps effort for a post-mortem in 2023 that aids maturity. Let us show you how Deepwatch helps teams proactively mature your SecOps effort, reduce alert fatigue, extend team expertise, or automate response for better security outcomes.
See below for a checklist of mitigations to consider for your organization, and if you’re interested in partnering with us on 24/7 managed detection and response services, let’s chat here!
Also, be sure to catch our webinar with Brian Krebs December 8th! For more information and to register: https://go.deepwatch.com/webinar-fireside-chat-the-evolution-of-ransomware-detection-and-response
General Deepwatch Mitigation Guidance for the 2022 Holiday
- An enforced organization-wide policy and process that requires changing default passwords for all hardware, software, and firmware before being deployed on any network.
- Integrating phishing resistant multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of a threat actor gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. Phishing resistant MFA can also be used to restrict access to cloud resources and APIs.
- Organizations have a system-enforced policy that requires a minimum password length of 15 or more characters for all password protected IT assets, and all OT assets where technically possible.
- No user accounts have administrator or super-user privileges. Administrators maintain separate user accounts for all actions and activities not associated with the administrator role (e.g. for business email, web browsing, etc.).
- Organizations provision unique and separate credentials for similar services and asset access on IT and OT networks. Users do not (or cannot) reuse passwords for accounts, applications, services, etc.
- A system-enforced policy that disables Microsoft Office macros, or similar embedded code, by default on all devices. If macros must be enabled in specific circumstances, there is a policy for authorized users to request that macros are enabled on specific assets.
- Regularly scan systems for vulnerabilities and patch systems as soon as possible. Prioritization should be placed on those systems that are internet-exposed with a focus on known exploited vulnerabilities like those featured in CISA’s Known Exploited Vulnerabilities Catalog.
- Assets on the public internet expose no exploitable services, such as RDP. Where these services must be exposed, appropriate compensating controls are implemented to prevent common forms of abuse and exploitation. All unnecessary OS applications and network protocols are disabled on internet-facing assets.
- Determine if certain websites or attachment types (such as .lnk and .iso.) are necessary for business operations and block access if security analysts cannot monitor the activity well or if it poses a significant risk.
- Employ an anti-virus or EDR solution that can automatically quarantine suspicious files.
- Security applications that look for behavior used during exploitation can be used to mitigate some exploitation behavior. Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring.
Eric is an accomplished intelligence professional with 10+ years of experience in the intelligence field supporting the Department of Defense and commercial organizations. He is responsible for collecting open-source information and analyzing it to turn it into actionable intelligence.
Michael Mayes is a content creator at Deepwatch and a certified OSINT analyst. He has over 20 years in marketing communications and media relations for disruptive technologies in highly-regulated industries. Publication on topics includes cloud and mobile security, cryptocurrency, ransomware, and dark web markets.
Share