Cybercriminals Are Scrambling
The July 2017 takedown of
Hacking groups such as
Extortionists or Copycat Groups
These groups will likely threaten DDoS attacks to retailers during the 2017 peak retail season in hope that they will receive payment during a time when maintaining a stable retail website is critical. During past peak retail seasons, Cyber4Sight® has not identified a spike in extortion attempts targeting retailers relative to other industries, so it is more likely that extortion attempts will stay stable, or increase only slightly.
Compromised Retail Accounts
These accounts will likely be used by low-level criminals to carry out
Malware-laced spear-phishing emails and the use of compromised remote access credentials remain the most popular means by which point-of-sale (POS) malware is installed on victims’ payment systems. Remote desktop protocol (RDP) and Virtual Network Computing (VNC)
"Pulse-Wave" DDoS Attacks
Amid a decline in DDoS attacks' effectiveness and popularity, a new technique dubbed "pulse-wave" may help determined and deliberate attackers disrupt e-commerce. Unlike typical DDoS attacks, which take time to organize bots and reach their peak strength—pulse-wave attacks leverage botnets that are continually generating their full attack volume. Instead of turning the attacks on and off, pulse-wave attacks remain on, switching from target to target on the fly.
Social Engineering by Phone
Phone call returns, instead of in-store or online returns, will likely be the most popular method for executing return and refund fraud schemes in the 2017 peak retail season. This approach is popular among criminals because refund and return fraud
Emergence of New Refund Services
Existing refund services usually only last a few months, and while some of the services that have been created in the past month or so may maintain their service through peak retail season, it is likely that many new services will pop up—possibly the work of individuals who have offered services in the past under different handles—and many will
Current Events as a Front for Fraud
During Hurricane Harvey and Hurricane Irma, Cyber4Sight® saw
Worms are back in 2017. A wormable exploit release into the network of a retailer could be massively problematic during non-peak season, but the impact during peak season could be catastrophic. However, the most popular worm exploit at present,
"Devil's Ivy" Vulnerability
Devil’s Ivy is a buffer overflow in the gSOAP protocol, is present in a wide-variety of IP-enabled cameras, and could represent a risk to retailers, depending on the setup of their networks.
Europay, Mastercard and VISA (EMV) to the rescue! EMV and point-to-point encryption are slowly ushering in a period when POS malware in its current form will no longer be sufficient to compromise and monetize payment card data, but the threat remains for now.
Through Cyber4Sight’s® own research and investigations into the breaches at Arby's, Chipotle, Whole Foods, and Sonic breaches, we have identified compromised payment card data for sale on Joker’s Stash - one of the most popular and frequently restocked underground marketplaces. In many cases, the timespan between POS compromise and data exfiltration may be weeks or months in length, suggesting that retailers anticipating potential attacks during peak retail season should expect initial stages of POS malware infections to occur in advance of the busy retail period.
Arguably the most common type of tool used to compromise accounts, Cyber4Sight® has identified several brute-force password crackers for sale on the cybercriminal underground throughout 2017. Many of these tools continued to be sold after the law enforcement takedowns mentioned above in July.
Cybercriminals engaged in mass-compromise of accounts, such as those who sell accounts on the Slilpp marketplace, likely employ customized multi-site account checkers that are constantly updated to circumvent new defenses put in place by target organizations. Account checkers run leaked credentials against online customer accounts.
The elite Russian-language cybercrime forum Exploit has had, throughout much of 2017, a steadily increasing inventory of web injects that can be used for harvesting customer data, including account credentials, for various financial organizations and retail customer accounts. In addition to the web injects sold on Exploit, there is a closed web-inject store, "Inject Store" (injectstore[.]com) that sells injects for a variety of banking websites, some of which have been leveraged in Gozi banking trojan campaigns throughout 2017.
Multiple Android malware families are known to target mobile-commerce and e-commerce login credentials. For instance, in June 2017, Marcher targeted login credentials for the mobile applications of retailers including Amazon, Best Buy, and Walmart. The threat of mobile credential theft malware is largely confined to the customers of big-name, nation-wide retailers.
Receipt generators are online tools on which
The 2017 peak retail season will likely see a continuation of the tactics, techniques, and procedures (TTP) employed by cybercriminals in previous years, with varying degrees of intensity and some innovations. Ultimately, attackers are more likely to target retailers with familiar threats, given that criminals tend to seek out paths of least resistance. Emerging threats tend to be more complex, requiring more customization. This is opposed to well-worn attack methods, for which there exist automated attack tools and proven track records. That said, today's emerging threats are tomorrow's mainstays.
Get even more details on the biggest cyber threats this holiday season in our 12-page Special Report. Enter your information below and have the report delivered to your inbox.