Criminal Shopping Habits

Cyber threats to the retail sector

The retail industry is increasingly gearing towards e-commerce platforms and cashless, even contactless, payments – a trend accelerated by the Covid-19 pandemic.

Even before that in 2020 41% of shoppers said they would purchase items online for things they would normally go to the store for. In 2019, 53% of Hong Kong residents tried to be completely cashless, according to Visa. The retail and consumer landscape is clearly changing rapidly, and cyber threats facing the industry are following accordingly.

As payments increasingly move online, so do cybercriminals’ attempt to steal payment card data. Traditional point of sale (POS) malware attempts to steal customers data by infecting retailers’ POS devices. While still present, POS malware is losing effectiveness due to increasingly secure cards standards like EMV, and because of the growing use of contactless payments, including mobile payment systems like Apple Pay and Google Pay.

Consumers’ growing appetite for ecommerce has therefore led criminals to adopt new tactics. One of the most widespread includes stealing payment data on ecommerce websites by injecting malicious JavaScript skimmers in checkout pages, a technique known as Magecart.

The growing threat of web skimmers

Magecart is a common and hard to detect threat for online retailers. Researchers estimate that every 15 seconds one e-commerce website is infected with MageCart malicious code. Some large scale Magecart operations have compromised thousands of websites at a time, including about 2000 e-commerce sites in just three days in September. Criminals injected malicious JavaScript code likely via outdated v1 and v2 versions of the Magento e-commerce platform.

Compromise of popular third-party e-commerce platforms like Magento allows criminals to automatically deploy JavaScript skimmers on hundreds of vulnerable victims at the same time. Indeed, the name Magecart itself refers to this common intrusion vector (Magecart = Magento + shopping Cart).

Magecart supply chain compromise are widespread. However, websites can also be targeted in direct operations by exploiting existing vulnerabilities. Malicious changes to check out pages are often minimal and hard to detect. Criminals can just append a few lines of code to a legitimate JavaScript library to avoid detection. A US precious metal retailer this year discovered that Magecart card-stealing code was present on their website for some five months, likely affecting tens of thousands of customers. The incident highlights the stealth and long term impact that a Magecart compromise can have on retailers.

Example of Magecart compromise

Human-operated Ransomware

Although customers’ data are a precious criminal commodity, cybercriminals also target retailers’ networks for extortion. Human-operated ransomware, in particular, is among the most impactful and widespread threat that DarkLab analysts have observed targeting Hong Kong organisation in 2020.

This year we helped two prominent Hong Kong retailers responding to network compromises by the Maze and Netwalker ransomware families. As it is increasingly common among ransomware operators, the retailers were threatened with data leaks on top of the data-encryption coercion. For retailers that process a significant amount of customers’ data, a data leak can present significant reputational and regulatory concerns, not to mention the operational impact that a widespread systems’ encryption can cause.

As we previously reported, ransomware operators often exploit known vulnerabilities in victims’ external IT estates (including for SSLVPN appliances), and exposed remote access services like RDP. However, large scale phishing campaigns like those of Emotet can also result in ransomware deployment. A specialist news outlet recently highlighted how most malware infections – even from unknown or low level variants – should be treated as potential ransomware incidents due to the growing popularity of initial access brokers malware services.

Business email compromise remains a concern

DarkLab also observed companies in the retail sectors becoming victim of another widespread threat, business email compromise. The international supply chain Hong Kong retailers rely on makes them a target for fraudsters looking to impersonate distant third parties to misappropriate funds. As working from home arrangements are becoming more prevalent, fraudsters are also looking to hijack communications between two employees in the same territory. The lack of physical interactions between employees makes email fraud easier.

To do that, fraudsters adopt ingenious social engineering techniques. These include passively monitoring email exchanges from a compromised email account while only modifying a few selected terms – like bank account details. This can lead to employees not realising their communications have been compromised until it is too late.

Strict rules for unusual bank transfers, as well as good email security hygiene can help prevent, or at least detect, these kinds of incidents.

Opportunistic attacks are more than a nuance

Some attacks can be less sophisticated than others but still require lengthy and cumbersome responses. For instance, DarkLab is aware of a retailer operating in Hong Kong that was recently infected in a likely automated fashion by a self-spreading crypto miner. The malware exploited an exposed RDP server, but was quickly detected by the victim’s security system. Nonetheless, time and resources had to be spent to conduct a thorough systems audit to ascertain the extent of the intrusion.

Similarly, data breaches can expose large amount of customer data and pose a significant threat despite the perceived lack of attackers’ sophistication. In September, a threat actor on a popular hacking forum released almost 3 million customer records from an online hospitality company with operations in Hong Kong, Singapore and Malaysia.[1] Although technical details of the breach are unclear, similar incidents often see criminals exploiting relatively unsophisticated techniques like SQL injections and exploitations of known vulnerabilities.

A thorough review of your online footprint and implementation of basic cyber security hygiene can help prevent such opportunistic attacks.

Conclusion and mitigation

The current situation of the COVID-19 pandemic affecting the globe has led to an uptick in cybercrime across all sectors. However, the ongoing sales and the coming Christmas season are likely to see retailers particularly targeted. Healthcare restrictions are forcing customers to rely on e-commerce platforms for purchasing products of all kinds.

With the holiday season coming into full swing, the amount of online purchases will likely to be at an all-time high. While there are clear opportunities for retailers to enjoy returns on a digital-focused business model, threat actors are also looking to exploit above mentioned techniques for their own malicious purposes.

Based on DarkLab’s experience in helping retail clients respond to network intrusions and uplift their security posture, we recommend organisations to:

  • Enforce Multifactor Authentication on all remote access services, including VPN, RDP and cloud environments.
  • Ensure ongoing visibility over all external-facing assets, and conduct regular vulnerability scan on external IP addresses.
  • Ensure mail filtering in place to block inbound email that fails SPF, DKIM, or DMARC checking.
  • Conduct regular security review of 3rd party code running on sensitive web pages like check out pages.
  • Enforce Content Security Policy to regularly review what domains can access your site and what resources they are allowed to load. This can help avoid Magecart exfiltrating customers’ data from your site.
  • Consider adopting compliance as code to ensure breaches of pre-established security measures are automatically detected and stopped.

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.