Cyber criminals tool up for Christmas fraud season

With November and December the busiest months of the year for retailers by some margin, cyber criminals are pulling out all the stops to make the Christmas season a bumper one for online retail fraud, according to researchers at security companies Venafi and PerimeterX.

Earlier this week, Venafi, which specialises in machine identity protection, released new intelligence on the rapid growth of lookalike domains using valid transport layer security (TLS) certificates to appear legitimate. It claims to have spotted more than 100,000 such domains targeting 20 retailers in Australia, France, Germany, the UK and the US.

This is over five times more than the number of authentic retail domains, and in the UK, the number was six times greater, spread across the top 20 online stores in the country. More than half of these were found using certificates from Let’s Encrypt – a legitimate non-profit specialising in free and open certificates.

“We continue to see rampant growth in the number of malicious, lookalike domains used in predatory phishing attacks,” said Jing Xie, senior threat intelligence researcher at Venafi.

“This is a result of the push to encrypt more, and potentially all, web traffic, a trend that generally improves security for users but inadvertently introduces a new challenge to existing methods of phishing detection. Most businesses and many retailers don’t have the updated technology in place to find these malicious sites and remove them to protect their customers.”

Most of these domains are created by substituting a few hard-to-spot characters in the URL to direct users to malicious websites that mimic the real thing and appear to the user to be safe.

Some techniques that legitimate retailers can use to combat the problem of fake domains includes: reporting through Google’s Safe Browsing service; adding certificate authority authorisation to their domain name system (DNS) records, which gives retailers the ability to restrict certificates on domains they own to those coming from trusted issuing authorities; using brand protection services to help them track down unauthorised copying of their intellectual property; and monitoring openly available certificate transparency logs to detect lookalikes before they can be monetised in attacks on customers.

Meanwhile, a PerimeterX investigation has uncovered two new automated carding bots being tested in the wild by cyber criminals as they prepare to target legitimate online shoppers in the run-up to Christmas.

The firm’s researchers picked up on suspicious traffic patterns to retail websites during September 2019. Because genuine consumers tend to slow their spending at this time, either to save up or to wait for heavy discounting at the end of November, it was able to unmask a significant uptick in malicious traffic to retail checkout pages, which led it to uncover two new carding bots being tested, and becoming more sophisticated with each new iteration.

The first bot, Canary, exploits a method of attack that attempts to cut the risk of being spotted by making slow rolling changes to a small subset of users to test defences on checkout pages. Once a successful version of the bot emerges, cyber criminals can then mass deploy it in widespread attacks later on. The Canary bot has been increasing validation activity on stolen card numbers by making small-value transactions that may not be noticed to test vulnerabilities on retail platforms.

The second bot, Shortcut, exploits the payment service provider APIs used by retailers, bypassing the retailers’ websites completely to extract money from the victim’s credit card. Online retailers tend to use external services to handle the payment process, and these services often have direct access through an API endpoint to verify card numbers. This direct access can be used by malicious actors to validate stolen card numbers without even putting any products into the shopping basket or going through the billing process.

In a blog post disclosing the firm’s findings, Kenji Yamamoto, senior cyber security analyst at PerimeterX, said: “As the usage of credit cards for online purchases increases, so do carding attacks and the diversity of methods used by attackers, given the high rewards awaiting successful attackers. We are seeing an increase in these new types of attack across multiple unrelated customers, indicating the quick evolution of these attack tools.

“The cyber crime world has evolved much like the software and cloud world has evolved. This is why we see more attacks using identical mechanisms and potentially multiple attackers using similar attack tools and targeting sites using the same platform. This dynamic is similar to competing startups that may be running their services on the same cloud vendor and using the same open source libraries.”

Robert Ramsden-Board, EMEA vice-president at Securonix, said it was little surprise that carding bot activity on retail websites was spiking ahead of the festive shopping period.

“Using bots to validate stolen card details before running fraudulent transactions is a common tactic and retailers that lack anti-bot defences are at an increased risk,” he said. “Retailers should implement controls to recognise suspicious bot activity and pay close attention to anomalous behaviours to be able to act fast and safeguard their customers.”