Cyber threats to the retail sector
The retail industry is increasingly gearing towards e-commerce platforms and cashless, even contactless, payments – a trend accelerated by the Covid-19 pandemic.
Even before that in 2020 41% of shoppers said they would purchase items online for things they would normally go to the store for. In 2019, 53% of Hong Kong residents tried to be completely cashless, according to Visa. The retail and consumer landscape is clearly changing rapidly, and cyber threats facing the industry are following accordingly.
As payments increasingly move online, so do cybercriminals’ attempt to steal payment card data. Traditional point of sale (POS) malware attempts to steal customers data by infecting retailers’ POS devices. While still present, POS malware is losing effectiveness due to increasingly secure cards standards like EMV, and because of the growing use of contactless payments, including mobile payment systems like Apple Pay and Google Pay.
The growing threat of web skimmers
Example of Magecart compromise
Although customers’ data are a precious criminal commodity, cybercriminals also target retailers’ networks for extortion. Human-operated ransomware, in particular, is among the most impactful and widespread threat that DarkLab analysts have observed targeting Hong Kong organisation in 2020.
This year we helped two prominent Hong Kong retailers responding to network compromises by the Maze and Netwalker ransomware families. As it is increasingly common among ransomware operators, the retailers were threatened with data leaks on top of the data-encryption coercion. For retailers that process a significant amount of customers’ data, a data leak can present significant reputational and regulatory concerns, not to mention the operational impact that a widespread systems’ encryption can cause.
As we previously reported, ransomware operators often exploit known vulnerabilities in victims’ external IT estates (including for SSLVPN appliances), and exposed remote access services like RDP. However, large scale phishing campaigns like those of Emotet can also result in ransomware deployment. A specialist news outlet recently highlighted how most malware infections – even from unknown or low level variants – should be treated as potential ransomware incidents due to the growing popularity of initial access brokers malware services.
Business email compromise remains a concern
DarkLab also observed companies in the retail sectors becoming victim of another widespread threat, business email compromise. The international supply chain Hong Kong retailers rely on makes them a target for fraudsters looking to impersonate distant third parties to misappropriate funds. As working from home arrangements are becoming more prevalent, fraudsters are also looking to hijack communications between two employees in the same territory. The lack of physical interactions between employees makes email fraud easier.
To do that, fraudsters adopt ingenious social engineering techniques. These include passively monitoring email exchanges from a compromised email account while only modifying a few selected terms – like bank account details. This can lead to employees not realising their communications have been compromised until it is too late.
Strict rules for unusual bank transfers, as well as good email security hygiene can help prevent, or at least detect, these kinds of incidents.
Opportunistic attacks are more than a nuance
Some attacks can be less sophisticated than others but still require lengthy and cumbersome responses. For instance, DarkLab is aware of a retailer operating in Hong Kong that was recently infected in a likely automated fashion by a self-spreading crypto miner. The malware exploited an exposed RDP server, but was quickly detected by the victim’s security system. Nonetheless, time and resources had to be spent to conduct a thorough systems audit to ascertain the extent of the intrusion.
Similarly, data breaches can expose large amount of customer data and pose a significant threat despite the perceived lack of attackers’ sophistication. In September, a threat actor on a popular hacking forum released almost 3 million customer records from an online hospitality company with operations in Hong Kong, Singapore and Malaysia. Although technical details of the breach are unclear, similar incidents often see criminals exploiting relatively unsophisticated techniques like SQL injections and exploitations of known vulnerabilities.
A thorough review of your online footprint and implementation of basic cyber security hygiene can help prevent such opportunistic attacks.
Conclusion and mitigation
The current situation of the COVID-19 pandemic affecting the globe has led to an uptick in cybercrime across all sectors. However, the ongoing sales and the coming Christmas season are likely to see retailers particularly targeted. Healthcare restrictions are forcing customers to rely on e-commerce platforms for purchasing products of all kinds.
With the holiday season coming into full swing, the amount of online purchases will likely to be at an all-time high. While there are clear opportunities for retailers to enjoy returns on a digital-focused business model, threat actors are also looking to exploit above mentioned techniques for their own malicious purposes.
Based on DarkLab’s experience in helping retail clients respond to network intrusions and uplift their security posture, we recommend organisations to:
- Enforce Multifactor Authentication on all remote access services, including VPN, RDP and cloud environments.
- Ensure ongoing visibility over all external-facing assets, and conduct regular vulnerability scan on external IP addresses.
- Ensure mail filtering in place to block inbound email that fails SPF, DKIM, or DMARC checking.
- Conduct regular security review of 3rd party code running on sensitive web pages like check out pages.
- Enforce Content Security Policy to regularly review what domains can access your site and what resources they are allowed to load. This can help avoid Magecart exfiltrating customers’ data from your site.
- Consider adopting compliance as code to ensure breaches of pre-established security measures are automatically detected and stopped.
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.