Staying Vigilant About Retail Security Does Not End on Black Friday

December 11, 2019
| |
8 min read

According to IBM X-Force Incident Response and Intelligence Services (IRIS) data, the retail service industry is the fourth most attacked industry sector, having made up 11 percent of the total attacks and incidents for the top 10 industries in 2018.

Attackers who target the retail shops we all love to frequent year-round do not exclusively reserve their efforts for the holiday season. In fact, IBM X-Force data shows that the biggest spam spikes take place in August, followed by large bouts in September and October as cybercriminals lay the grounds for their actual attacks.

For consumers, while shopping does spike considerably right after Thanksgiving and into the holiday season, shoppers continue to hunt for deals even after the beginning of the new year, counting on end-of-season sales, thereby keeping transactional volume relatively high, which provides a larger window of opportunity for criminals than just those special days.

As one of the most targeted industries, retailers should be taking measures to build a secure underlying infrastructure well ahead of the holidays and keep it evolving and maturing all year long.

Retail Backbones in the Crosshairs

When it comes to attacks on retailers, cybercriminals, especially organized crime groups, are out to find the vulnerabilities that would compromise more than one retailer at a time. They do this to maximize the return on their investment of time and money. To achieve that goal, they are attacking underlying web platforms and servers.

One example of a conglomerate of cybercrime factions operating in this way is Magecart. This grouping of threat actors is known to have compromised hundreds of thousands of websites by automating attacks that rely on a common vulnerability or flawed feature. In early 2019, a Magecart group hacked a third-party JavaScript library from a French advertising network, which allowed malicious code to run on at least 277 websites and continually steal customer card data as shoppers checked out on those sites.

Another trend targeting retailers is the cybercriminal quest for large, lump-sum payments. To that end, rather than stealing card data over time and having to sell or use it themselves, some criminals opt to target the corporate networks of organizations in the retail industry, launch a ransomware attack on them, and then ask for a large sum of money — usually in the millions of dollars — for the decryption key. Worse yet, many retailers end up paying, likely because the impact on their business is too high the longer it takes to get systems back up and running.

In those cases where intruders do not plan to launch ransomware, they might attempt to infiltrate retailers’ networks to siphon sensitive and confidential customer information, such as payment card data, customers’ personally identifiable information (PII) and supply chain data, then sell it to a competitor, extort the company with threats to leak that data or peddle it on the dark web.

Being robbed of a large number of customer records of any sort is a data breach that can easily end up costing hundreds of millions of dollars. And the initial breach costs are not what’s going to cap the losses. Retailers hit with a data breach of that sort can continue to see losses accrue well into the second and third year after the actual breach.

Taking a Pass at the POS

While each network is different, and each company can work with its security architecture as it sees fit, retail is one of the sectors that operates the most decentralized and diverse infrastructure. Companies in this industry do operate the more common corporate network environments, however, a large part of their infrastructure is inevitably made up of point-of-sale (POS) machines that process card transactions in their physical locations.

Being spread out across the country, or even across different geographies in some cases, these machines are exposed to both physical risk and remote risk.

Direct access risk comes from potentially malicious on-site actors that can infect devices with malware, modify physical components, implant skimmers, or swap a PIN pad with one that will log card numbers and PIN codes. These attacks usually result in card-cloning.

Remote access risk is a given for these endpoints since they have to be updated and monitored from a central location, which opens them up to potential intruders and aggregate risk if they all use the same remote assistance software. Remote attacks usually involve malware and are more likely to ultimately result in card-not-present (CNP) fraud.

Remote attacks are easier for attackers to scale, and one tactic that has been increasingly used by attackers in the past decade has been point-of-sale malware — malicious software used in attempts to siphon credit card information from point-of-sale machines. X-Force IRIS recently published research on new attacks carried out by an actor we named ITG08, also known as FIN6. This organized crime group historically specialized in stealing payment card data from POS machines, and has more recently expanded operations to performing CNP fraud.

X-Force IRIS further identified ITG08 as using known POS malware, such as FrameworkPOS and GratefulPOS, to steal massive amounts of payment card data from POS systems in the retail sector in attacks they launched between 2017 and 2019. Malware targeting card data can be implanted on machines, but it is very often planted on compromised websites to achieve the same goal.

Carding Bots Don’t Get Carded

Ever heard of carding bots? “Carding” is a term used by fraudsters when they refer to making purchases or moving funds by using stolen credit card data. But no one wants to use a card that’s no longer valid, and fraudsters therefore verify the validity of a card before they decide to buy or use it. To that end, cybercriminals that operate payment card shops in dark web markets offer verification services.

How can they verify card validity and do it at scale? By creating carding bots — an automation script that runs on some online shop’s website or a charity’s site and goes through the payment process to make a small purchase to see if that card is still active. Two recent bots exposed by researchers in November 2019 are Canary Bot, which runs checks on e-commerce sites by exploiting the platform they run on, and Shortcut Bot, which exploits the vendor’s card payment API.

These bots are a dime a dozen, and only the resilient ones continue to work over time, propelling profits from the endless stream of stolen payment card data that ends up in the hands of cybercriminals.

Attackers Lay the Ground Work Early — Retailers Should Too

Attackers aren’t necessarily waiting until the end of the year to launch spam campaigns. In fact, analysis of spam trapped in X-Force honeypots between 2015 and 2018 revealed a trend: a notable rise in the average volume of spam campaigns starting as early as August. Spam volume in September and October came in second and third, respectively. This could mean that attackers sow their seeds well ahead of the busy shopping season, likely to make sure that they can research the stolen data they receive and prioritize their efforts.

But while spam volumes rise and fall through the year, retailers cannot rely on these waves to anticipate the attacks that will eventually be launched on their customers and networks when it best serves the criminals operating those attacks. Investing in technologies that can help to quickly detect and contain a data breach, as well as rethinking the security program to put a new emphasis on incident response, can truly make a difference in cases where an attack is underway or has unfortunately happened.

That difference can come in the shape of savings on the total breach cost. For example, according to the “2019 Cost of a Data Breach Report,” organizations that have a breach life cycle of more than 200 days between the time the breach occurred to the point it has been contained will see breach costs that are 37 percent higher than average.

Unfortunately, the retail industry has the fourth-longest breach life cycle of 17 industries assessed, coming in at 311 days, which is 11 percent more than the average of 279 days, taking rather long to detect and contain breaches that have likely been able to affect a large number of customers. The longer the breach lingers, the costlier it will be on all fronts, including lost business, lawsuits and hefty regulatory fines.

What Can Retailers Do to Bolster Resilience Year-Round?

Maintaining customer confidence by protecting personal and payment data can result in a stronger reputation for the organization, increased customer loyalty and, consequently, more business. As attackers set their sights on some of the retail strongholds where shoppers’ data is most likely to be plentiful, mitigating risks in those specific zones can go a long way in making it harder for malicious actors to succeed. Here are some key security controls and best practices to keep in mind.

The POS Zone

  • Train employees in all locations to recognize the proper look and components of their POS terminals and swiping devices. Provide an easy and accessible way to report suspicious findings.
  • Limit access to critical assets and properly manage the privileges of those that maintain them.
  • Use malware detection software on POS systems.
  • Keep POS systems up to date through regular operating system updates, upgrades and software patching.
  • Retailers have to comply with regulations. Work with suppliers that will contractually adhere to both your regulatory standards and security requirements.
  • When using mobile POS, have controls in place to ensure the integrity of the handheld device and the encryption of its communication channels with the server that processes and stores card data.
  • Pen test POS device hardware and software and your e-commerce sites, then use the findings to harden the security of all underlying systems.

Networks

  • Prioritize patching for the threats most relevant to your operation. Look out for the most-exploited vulnerabilities and ensure that internet-facing servers and systems are up to date.
  • Keep PII, financial data and POS information separate by segmenting enterprise networks.
  • Enforce multifactor authentication (MFA) for employees, especially for those with privileged accounts.
  • Some attackers make extra noise on the wire. Take a baseline measurement of normal traffic over varying periods of days and weeks to discern when suspicious traffic peaks or patterns. Watch for spikes in the usage of Windows tools, such as remote administration services (PowerShell, WMI, etc.), that could signal an evolving attack.
  • Whitelist IP addresses or domains used regularly in your business activity and blacklist known and potentially malicious IP addresses or domains from entering the network.
  • Deploy web application firewalls (WAFs) to help ensure that incoming traffic is filtered, monitored and blocked to and from web applications to mitigate threats.
  • Prepare for traffic peaks and potential distributed denial-of-service (DDoS) attacks by using designated controls such as load balancers.

Websites

  • Magecart attacks modify what your website renders and serves up code that will steal card data. Deploy a change monitoring and detection solution to spot unauthorized modifications to your e-commerce platform’s web hosting directories. If this is not feasible, schedule periodic, manual reviews of these assets.
  • Use Content Security Policies to limit the sources of executable scripts.
  • Reduce directory and file access permissions across the e-commerce platform.
  • Ensure that your development team works closely with the security team to harden the code against common attacks like SQL injections, XSS, broken authentication, flawed web logic, misconfigurations, etc.
  • Patch regularly. Plan for business continuity that would allow your team to update the platform as soon as patches are released.
  • Use end-to-end encryption (E2EE) as much as possible.
  • Automate backups and keep those offline.

Staff

Having vigilant employees makes mitigating attacks during the holiday season that much more effective.

  • Plan for role-based training of all employees in the organization.
  • Train employees on both physical and digital security.
  • Run tests and identify users who need remedial training. Then, train and retest as needed.
  • Most importantly, provide all users with an easily accessible resource to report issues. Users should be able to contact an IT security center with any question or suspicion.

Covered Your Bases? Run a Pen Test

A key preventative measure for retailers with a more mature security posture is running a penetration test. Simply put, the organization’s security team can allow a white hat hacker, or penetration tester, to manually try to compromise assets using the same tactics, techniques and procedures (TTPs) as criminal attackers. This is done to ascertain whether protections applied by the organization are indeed working as planned and to find any unknown vulnerabilities that could enable a criminal to compromise a high-value asset.

Have a Response Plan in Place and Drill It Regularly

The timelier and more coordinated an organization’s response is to an incident, the faster it can limit and manage the impact. A solid incident response plan can help contain an incident rapidly and result in better protection of customer data, reduction of breach costs and preservation of the organization’s reputation. Before an attack occurs, establish a dedicated incident response team with members from different departments in the organization.

If your team suspects an infection or attack, do not wait to launch incident response plans to contain and begin remediation. If your organization is in need of response assistance, please contact the X-Force IRIS hotline: U.S. hotline 1-888-241-9812 | Global hotline (+001) 602-220-1440.

Limor Kessem
Executive Security Advisor, IBM

Limor Kessem is an Executive Security Advisor at IBM Security. She is a widely sought-after security expert, speaker and author and a strong advocate for wom...
read more

Think On Demand banner
Think banner ad
Your browser doesn’t support HTML5 audio
Press play to continue listening
00:00 00:00