Booz Allen Hamilton Booz Allen Hamilton

Retail Cybersecurity Report 2017

Retail Cybersecurity Report 2017

Top Threats

Ranked by severity:

  1. Point-of-Sale Breach
  2. Website Outages
  3. Retail and Bank Account Takeover
  4. Return and Refund Fraud 

Ranked by likelihood:

  1. Return and Refund Fraud
  2. Retail and Bank Account Takeover
  3. Website Outages
  4. Point-of-Sale Breach 



Cybercriminals Are Scrambling
The July 2017 takedown of AlphaBay and Hansa Market, two of the largest criminal marketplaces hosted on Tor hidden services, has decreased the number of vendors selling online accounts on the criminal underground, increasing the demand for compromised accounts from known sellers on shops such as Slilpp, where a variety of well-known and reliable users exclusively sell compromised accounts.

Hacking groups such as OurMine and LizardSquad, as well as the slew of copycat groups, live for peak retail season. However, they rarely target retailers—as we saw in 2016 and 2015, these groups primarily target the gaming industry with distributed denial of service (DDoS) attacks rendering their websites inaccessible. However, this trend may turn. It is possible that OurMine, LizardSquad and/or copycat groups may opt to target retailers during the 2017 peak retail season. Regardless, many of attacks will be opportunistic, attributing temporary inaccessibility of popular sites to high traffic.

Extortionists or Copycat Groups
These groups will likely threaten DDoS attacks to retailers during the 2017 peak retail season in hope that they will receive payment during a time when maintaining a stable retail website is critical. During past peak retail seasons, Cyber4Sight® has not identified a spike in extortion attempts targeting retailers relative to other industries, so it is more likely that extortion attempts will stay stable, or increase only slightly. 



Compromised Retail Accounts
These accounts will likely be used by low-level criminals to carry out return and refund fraud, as we monitored during the 2016 peak retail season. Compromised bank accounts, on the other hand, will likely be used for cashing out money acquired in fraud schemes during peak retail season rather than directly targeting victims.

Malware-laced spear-phishing emails and the use of compromised remote access credentials remain the most popular means by which point-of-sale (POS) malware is installed on victims’ payment systems. Remote desktop protocol (RDP) and Virtual Network Computing (VNC) credentials in particular provide cybercriminals with a way to both gain initial entry into retailers' networks and move laterally, an essential process for identifying the systems on which POS malware should be installed.

"Pulse-Wave" DDoS Attacks
Amid a decline in DDoS attacks' effectiveness and popularity, a new technique dubbed "pulse-wave" may help determined and deliberate attackers disrupt e-commerce. Unlike typical DDoS attacks, which take time to organize bots and reach their peak strength—pulse-wave attacks leverage botnets that are continually generating their full attack volume. Instead of turning the attacks on and off, pulse-wave attacks remain on, switching from target to target on the fly.

Social Engineering by Phone
Phone call returns, instead of in-store or online returns, will likely be the most popular method for executing return and refund fraud schemes in the 2017 peak retail season. This approach is popular among criminals because refund and return fraud is much easier to carry out over the phone than in-store or online.

Emergence of New Refund Services
Existing refund services usually only last a few months, and while some of the services that have been created in the past month or so may maintain their service through peak retail season, it is likely that many new services will pop up—possibly the work of individuals who have offered services in the past under different handles—and many will emerge around Black Friday in November.

Current Events as a Front for Fraud
During Hurricane Harvey and Hurricane Irma, Cyber4Sight® saw discussion about using such disasters as excuses for not receiving products that were in fact delivered, as these incidents are times when retailers are particularly sensitive about their customer service. It is likely that during peak retail season, natural disasters or other related incidents—even just weather conditions such as heavy snow—may be used as excuses for not receiving ordered products.

With What?


Worms are back in 2017. A wormable exploit release into the network of a retailer could be massively problematic during non-peak season, but the impact during peak season could be catastrophic. However, the most popular worm exploit at present, ETERNALBLUE, has almost certainly been patched out of the networks of most sophisticated retailers. This protective measure means that a major worm-enabled attack during peak retail season will most likely require a zero day exploit (i.e., a compromise in production systems that are unknown to the vendor).

"Devil's Ivy" Vulnerability
Devil’s Ivy is a buffer overflow in the gSOAP protocol, is present in a wide-variety of IP-enabled cameras, and could represent a risk to retailers, depending on the setup of their networks.

POS Malware
Europay, Mastercard and VISA (EMV) to the rescue! EMV and point-to-point encryption are slowly ushering in a period when POS malware in its current form will no longer be sufficient to compromise and monetize payment card data, but the threat remains for now.

Through Cyber4Sight’s® own research and investigations into the breaches at Arby's, Chipotle, Whole Foods, and Sonic breaches, we have identified compromised payment card data for sale on Joker’s Stash - one of the most popular and frequently restocked underground marketplaces. In many cases, the timespan between POS compromise and data exfiltration may be weeks or months in length, suggesting that retailers anticipating potential attacks during peak retail season should expect initial stages of POS malware infections to occur in advance of the busy retail period.

Brute-Force Tools
Arguably the most common type of tool used to compromise accounts, Cyber4Sight® has identified several brute-force password crackers for sale on the cybercriminal underground throughout 2017. Many of these tools continued to be sold after the law enforcement takedowns mentioned above in July.

Account Checkers
Cybercriminals engaged in mass-compromise of accounts, such as those who sell accounts on the Slilpp marketplace, likely employ customized multi-site account checkers that are constantly updated to circumvent new defenses put in place by target organizations. Account checkers run leaked credentials against online customer accounts.

Web Injects
The elite Russian-language cybercrime forum Exploit has had, throughout much of 2017, a steadily increasing inventory of web injects that can be used for harvesting customer data, including account credentials, for various financial organizations and retail customer accounts. In addition to the web injects sold on Exploit, there is a closed web-inject store, "Inject Store" (injectstore[.]com) that sells injects for a variety of banking websites, some of which have been leveraged in Gozi banking trojan campaigns throughout 2017.

Mobile Malware
Multiple Android malware families are known to target mobile-commerce and e-commerce login credentials. For instance, in June 2017, Marcher targeted login credentials for the mobile applications of retailers including Amazon, Best Buy, and Walmart. The threat of mobile credential theft malware is largely confined to the customers of big-name, nation-wide retailers.

Receipt Generators
Receipt generators are online tools on which a user inputs associated information—type of item, price of item, tax, billing address, order number, etc.—and the tool outputs a receipt with the associated branding and formatting for the desired retailer. In addition to receipt generators, many individuals on large criminal marketplaces offer receipt-editing services. In these cases, the services are typically advertised for less than USD 20, and the service providers require the customer to provide basic order information to create the receipt.


The 2017 peak retail season will likely see a continuation of the tactics, techniques, and procedures (TTP) employed by cybercriminals in previous years, with varying degrees of intensity and some innovations. Ultimately, attackers are more likely to target retailers with familiar threats, given that criminals tend to seek out paths of least resistance. Emerging threats tend to be more complex, requiring more customization. This is opposed to well-worn attack methods, for which there exist automated attack tools and proven track records. That said, today's emerging threats are tomorrow's mainstays.


Download The Report

Like these insights? Get the full report

Get even more details on the biggest cyber threats this holiday season in our 12-page Special Report. Enter your information below and have the report delivered to your inbox.