Retailers face new security challenges
By Kevin Epstein
Retail cybersecurity advice used to be simple. Don’t leave registers unattended, be sure credit card data is securely transmitted and put your trust in a great firewall.
Unfortunately, while that advice still holds, it largely fails to address the newer tactics used by attackers against Australian retailers. This includes the ever more sophisticated point-of-sale malware, brand fraud within emails and on social networks, as well as attacks leveraging the weakest link in security – people.
Chip-and-PIN is not a cure-all
Point-of-sale (POS) malware, designed to harvest credit card information from retail terminals, suffered a significant setback with the widespread adoption of Chip-and-PIN technology, making it much harder to simply scrape credit card numbers from card readers.
Now, though, in the never-ending arms race with cybercriminals, new POS malware is predicting the data used to secure transactions and create fraudulent charges. And it is distributed through a variety of attack angles or ‘vectors’, especially email.
In one recent campaign, tens of thousands of fake socially-engineered messages (detailing a terminated employee) were used to deliver a banking Trojan through links and malicious documents, but the banking Trojan was only an intermediary. The final payload? A new strain of point-of-sale malware called ScanPOS.
Even without the mass credit card information theft we saw earlier in the decade from POS malware, retail-related data breaches remain a significant issue. Attackers are going after infrastructure using a variety of attack vectors, including innocent-looking emails that surreptitiously download POS malware and so-called “information stealers” when recipients click on embedded links or attachments.
Big Brand = Big Liability
While more subtle than POS malware, massive scale ad fraud and malvertising also interfere with legitimate online advertising from internet and brick and mortar retailers.
Proofpoint researchers regularly find instances of ad substitution and malicious ad landing pages that closely mimic real brands. Even if users believe they are clicking an ad from a known online retailer, it is all too common for the ad to use stolen branding and instead lead to phishing pages and websites that exploit vulnerabilities on the visiting device.
Unfortunately, stolen branding doesn’t stop at online advertising. Major events like the Olympics give rise to large numbers of fraudulent social media accounts, often leveraging brands of sponsors and sporting retailers. For example, 15 per cent of all Olympics-related social media accounts were fraudulent and 84 per cent of these were impostors, running phishing schemes and other malicious activities, pulling in unsuspecting customers with fake gift certificates and coupons.
Of course, in both cases, retailers are left with the bill when angry customers demand fulfillment for fake offers. Brands also lose customers if fake pages infect users who then tell friends and family members to stay away.
People make the best exploit
Last but not least, Proofpoint researchers regularly track major credential email phishing campaigns that target far more than corporate credentials. Increasingly sophisticated phishing lures, sent via large-scale customised email campaigns, convince individuals to log in to their personal accounts on fake versions of retail websites. Many pretend to be a coupon, secret shopper, or other special offers.
Their goal is to generate fraudulent transactions or steal credentials for reuse across multiple sites. The screenshot below shows a fake review page for a retailer linked from an emailed offer for a $50 credit if the recipient logged into their account and completed a survey. The result: the brand is blamed by consumers and suffers a financial loss to resolve the issue.
Image source: Proofpoint
At the same time, the direct corporate threats that have pushed retail cybercrime out of the headlines in recent years – banking Trojans, ransomware, and business email compromise (BEC), all leverage human gullibility to gain initial footholds in the corporation. And they are targeting staff and executives in retail businesses. Retailers are certainly not immune to these sorts of threats and remain high-value targets for cybercriminals.
Be on the lookout
Clearly, retail cybersecurity advice no longer seems quite as simple as it once was – but it can perhaps still be distilled to a few key principles:
- It’s about money. Hacktivism and espionage remain a relatively small factor motivating cybercriminals; thus, if you can make your defenses sufficiently strong so it costs less to hack someone else, you win. When escaping a raging bear, you don’t have to be faster than the bear, only the person next to you.
- Everybody clicks. Training staff is important, of course, but it only goes so far. If your cybersecurity systems haven’t been re-examined and upgraded in the last two years, you’re likely very exposed to threats. Legacy cybersecurity…isn’t effective.
- Email is not your friend. Email is essential to every business – it’s lifeblood. It’s also inherently insecure, and the number one vector for cyberattacks. Start by securing your email.
Kevin Epstein is the vice president of Proofpoint’s Threat Operations Center.