Tierney - stock.adobe.com
To judge from the state of the average cyber security writer’s inbox in the week leading up to Black Friday, the annual frenzied festival of consumerism, it’s time to panic.
The sky is falling in. Every retail website has been hacked by cyber criminals, all your credit card numbers have already been stolen and used on gambling sites, and this is therefore a very short article. Game over, man.
Unfortunately, whether you’re reading this as a shopper or a retailer, there is good reason to be concerned (also, this is a long article). Already, researchers have observed active threat groups testing out new credit card fraud techniques and tricks, and anecdotally, the first few weeks of November saw a dramatic slump in online fraud as criminals hoarded credit card numbers in preparation for the season – the much-reported breach of US department store chain Macy’s notwithstanding.
Even without the triple threat of Black Friday (traditionally associated with Thanksgiving but now exported beyond US borders), Cyber Monday (the online version of Black Friday), and the Christmas holidays (speaks for itself), retail fraud has risen dramatically over the course of 2019, at least according to Kaspersky, which recently produced statistics claiming that attacks targeted directly at shoppers were up 15% this year.
The lengthening period of promotional sales and events in November and December also means the window of opportunity for cyber criminals is much larger, said Kaspersky, which has observed 15 families of financial malware targeting popular retail sites so far this year.
In addition to well-known malware families such as Betabot, Cridex Gozi and Zeus, Kaspersky said it had identified two new mobile bankers, known as Anubis and Gustuff, which target retailers to extract user credentials and credit card numbers by intercepting input data on target sites, modifying online content, and/or redirecting unwitting users to phishing pages.
“Shoppers must be on red alert. This is effectively hunting season for cybercriminals, who are on the prowl to steal personal details, card numbers or bank account credentials from victims,” said the firm’s principal security researcher David Emm.
“Over the 2019 holiday season, consumers can expect email-based attacks using seasonally themed lures such as holiday greetings and promotions for major shopping events such as Black Friday,” said Kimberly Goody, manager of cybercrime analysis for FireEye.
“Emotet, which was arguably the most prolific botnet of 2019, highlights this trend – over the previous holiday season the botnet distributed malicious emails using themes including Thanksgiving, Black Friday, Cyber Monday, and Christmas lures, a trend we expect to continue throughout the 2019 holiday season.
“The use of holiday themed email lures is a common and highly effective social engineering strategy used by many threat actors to improve the effectiveness of their campaigns,” she said.
Goody warned that besides holiday-themed lures, consumers can expect to see emails purporting to advertise sales from well-known brands, while other tactics such as falsified missed delivery notifications are more likely to be successful at this time of year purely because more people are shopping online.
Basic hygiene minimises risk
Research by the UK’s National Cyber Security Centre (NCSC) claims that 37% of UK shoppers believe that losing money or personal details over the internet is unavoidable, but this isn’t necessarily the case, and employing even a little basic cyber security hygiene will go a long way to minimising the risk, according to NCSC technical director Ian Levy.
“The NCSC wants online shoppers to make the most of Black Friday bargains, and our top tips will make life much harder for would-be cyber criminals,” said Levy.
“We understand that some people find cyber security daunting, but a small amount of protection will go a long way to improving your safety.
“Sometimes, things can go wrong. We’re all human, and some of these scams are very sophisticated. If you think you’ve fallen for a scam, report the details to Action Fraud and contact your bank,” he said.
For Cath Goulding, Nominet CISO, it is important to “shop with suspicion”. She explains: “Scammers constantly try new tricks to catch us out, so on a day when it’s easy to be tempted by huge savings or timed deals, it’s even more important to stay vigilant and not click on links in emails or fall for deals that may really be too good to be true.”
Stats compiled by comparison site Comparethemarket.com show that despite high levels of card fraud, consumer awareness of the issue is still very low, with over a third of people who had cards compromised unable to remember how it happened. People also have a tendency towards inertia, it said, with 82% of fraud victims who responded to its study saying they had not changed card provider even after being defrauded.
Read more about retail IT
- US menswear retailer Untuckit used to be an online pureplay, but by the end of 2019 it will have 80-plus stores, including its two new UK shops, as the online-to-offline trend continues.
- The younger generation of shoppers are all using social media, so how are retailers using influencers to reach these potential customers and their spending power?
- Retailers are being urged to make their digital assets more accessible to disabled consumers, not just for moral and social reasons, but because of the commercial opportunity.
Nominet’s Goulding echoed Comparethemarket’s warning on complacency. “Recent research found that almost half of the adults questioned don’t feel vulnerable to cyber attacks,” she said.
“But it doesn’t matter how many times you’ve been caught out or not, or how experienced you are in the online world – criminals will be out there looking to take advantage.
“This year alone, we have suspended over 28,000 .uk domain names for criminal activity such as counterfeit goods, and around 3,000 since launching our anti-phishing initiative Domain Watch, demonstrating the persistence and volume of the threats we all face online.”
The NCSC’s guidance for consumers is relatively simple. It advises:
- Staying up to date by installing all new software and app updates, which will frequently patch known issues;
- Employing strong and memorable passwords incorporating special characters;
- Using a password manager to help you remember each one and avoid the necessity to reuse the same password on multiple websites;
- Switching on two-factor authentication where available;
- Being cautious about what details you share with what websites.
- Invest in a robust security package to protect your devices;
- Backup data regularly to ensure personal files are not lost or encrypted if you are unlucky enough to be targeted;
- Be extra cautious if shopping on a smartphone, shortened URLs on websites optimised for mobile can hide a multitude of sins, and don’t shop on your smartphone on an unknown Wi-Fi network, switch back to 4G or 5G or wait until you get home.
- Avoid websites that look suspicious or flawed, or that are not known to you, regardless of how good the offer appears.
- Don’t click on unfamiliar or unsolicited links in emails.
- Set spending limits for online transactions.
- If shopping with a debit card, move funds out of your current account into savings to minimise your losses if you’re hacked, or consider a pre-paid card.
Retailers must step up
If you are an online brand or trader, it should go without saying that you have a duty of care and responsibility towards those accessing your platform, but it goes deeper than that, according to Tripwire’s Tim Erlin, vice-president of product management and strategy.
“For businesses, there are two ways to look at cyber risks around Black Friday,” said Tim Erlin, Tripwire vice president of product management and strategy. “The first is that, simply because it’s a busier time and more money are flowing through their systems, attackesr will be more likely to target them, hoping for the busyness to serve as a diversion.
“The second way to look at it is from an employee perspective: staff may be shopping online from business owned assets, thus potentially opening them up to Black Friday scams. For this reason, it would be worth for business to focus on education and training on how to recognise scams and phishing attempts.”
“Ransomware and other types of malware are also a concern for business around this time of the year. Those that are targeting the business itself ultimately just want the organisation to pay the ransom, which can be avoided by having good incident response measures in place and secure, up-to-date backups.”
Focus on performance and speed
Winston Bond, EMEA technical director at Arxan, warned that too many retailers are still focusing on website performance and speed to the exclusion of critical security measures that leave them open to attack.
“This year has seen an abundance of attacks on e-commerce sites, and this will only continue into the holiday season with cyber criminals looking to monetise their attacks and profit off unsuspecting companies and consumers,” said Bond.
“Organisations need to recognise that these attacks can only be thwarted with up-to-date security which includes the building of in-app protection and the monitoring of servers. By doing this, they can ensure they keep themselves, and their consumers, safe online.”
“People need to be reassured that their data and personal information is safe, or they will be less inclined to shop online,” added Kasperspky’s Emm. “This is where businesses also have a part to play, stepping back and re-evaluating their IT security strategy to ensure there is a full lifecycle security plan in place, entailing: education for employees, the best defences to protect against attacks, and the most reliable tools for zero-day detection.”
Advice for retailers
Kaspersky’s advice for retailers includes:
- Using a known and reputable payment service and keeping online trading and payment platform software up to date and fully patched;
- Using tailored IT and cyber security solutions to protect the business;
- Paying attention to the information used by customers who buy from you and deploying fraud prevention that you can adjust to your own company profile, and the profiles of your customers.
Other elements of a coherent retailer security strategy include:
- Putting in place email authentication records such as DMARC, DKIM or SPF, without which attackers can directly impersonate your domain. According to Tessian research, nearly a third of UK online traders don’t do this.
- Assessing your risk profile, through an independent auditor or your managed service provider if need be, and develop a plan for ongoing risk mitigation, including GDPR compliance.
- Educating employees within the business on how to spot the signs of the various attacks they can expect to be subjected to, and keep up training programmes throughout the year, not just during the festive season. Deploying micro-learning – short courses of between five to 10 minutes in duration – is considered best practice to enable people to retain information.
“Retailers need to ensure that as sales volumes grow, so does their cyber awareness and defence. Keeping employees educated on how to respond to the likes of a potential phishing attack, particularly when many of these workers may be temporary staff, is fundamental,” said Nominet cyber security vice-president Stuart Reed.
“It’s also important to have technology and processes in place that have broad visibility of the network, to identify and eliminate potentially malicious incidents quickly. For many retailers it will also be important to ensure their supply chain has a similar level of security precautions and any brand adjacencies are monitored to ensure fraudulent websites haven’t been set up to siphon customer information.”
“It’s clear that the retail industry has some way to go in terms of cyber resilience. For this shopping season in particular, both consumers and retailers alike need to be extra vigilant to potential threats and suspicious activity,” he concluded.
Hackers on a shopping spree
It isn’t just the likes of Amazon or Asos that offer deep discounts at this time of year. The threat research team at Digital Shadows has produced research revealing that dark web marketplaces and other cyber criminal groups run their own promotions, too.
For example, Digital Shadows said it had observed the admins of BriansClub – an automated vending cart or AVC used to facilitate card fraud – offering Black Friday deals of their own, with extra discounts for people spending over $500, while dark web marketplace UnderMarket 2.0, where users can buy stolen credit card details among other things, runs an annual event at the end of November, with past deals including 30% price cuts and deeper discounts for big spenders.
Elsewhere, Digital Shadows has observed members of sites such as black-hat SEO forum BlackHatWorld sharing deals members come across months in advance, such as discounts on toolkit essentials like SEO kits, HTTPS or SOCKS proxies, and virtual private network (VPN) services – hot commodities for the cyber criminal on a budget.