While U.S. retailers are looking to the holiday shopping season to deliver roughly one-third of their annual revenues, organized cybercriminals are also gearing up for a profits bonanza. On the dark web and places like Telegram, criminal gangs frequently based outside the U.S. know that during the holidays consumers traditionally search for bargains and are attracted by familiar brands and trusted retailers.
Threat actors have now become adept at using social media to distribute fake pop-up advertisements offering convincing-looking non-existent bargains to online shoppers. Frequently, the duped customers are directed to cloned retail websites that are virtually indistinguishable from the real thing.
Criminal forums also offer software and training packages designed to allow even relatively inexperienced cybercriminals to create highly convincing cloned websites of famous brands and well-known retailers. Companies can suffer irreparable brand damage by previously loyal customers being conned by such methods. Cybercrime training tutorials are also offered on dark web forums, teaching threat actors how to file fraudulent chargebacks exploiting retailer good faith policies, claiming products have not arrived or were not the products purchased. Seasonal shopping habits mean that retailers have come to expect a growing number of chargebacks and may let too many fraudulent claims slip through their net as a result. The direct business impacts are immediate revenue loss and inventory management process manipulation.
The holidays are also a time of year when gift cards are especially targeted by criminal actors as they are easy to monetize anonymously. These threat actors use “generators,” software that generates potential gift card numbers in large quantities based on the targeted retail organization’s algorithm. Once generated, these numbers are automatically checked for a funds balance against the retailer site through bots or “checkers.” When a threat actor finds a positive balance, they will either use the number for online purchases or resell it for a profit. Cybercriminals offer their services for such a gift card generator, claiming they have a script that generates and checks gift card codes.
Coupon codes and gift cards are also often generated by threat actors and checked against the retailer website on product checkout, in which a threat actor is selling a gift card for a retail store for less than its worth. Shopping holidays tend to see larger numbers of coupons distributed by retailers, as they are widely used as Christmas presents, raising the likelihood of generators coming across as valid ones.
Major retailers can also expect a steep seasonal spike in spear-phishing aimed at senior executives and important personnel via email and social media, often involving spurious job offers, which encourage the targets to divulge sensitive information. The holidays also see a rise in carding. Before using stolen payment card detail for fraudulent purchases, threat actors often validate the details on retailer websites using automated tools called carding bots. These perform brute –force or “card stuffing” attacks on retailer websites, testing thousands of stolen cards with low-value purchases which, when successful, “validate” those relevant cards with a positive balance and do not get blocked.
For these attacks, a threat actor on a dark web forum shares a configuration for other actors to try and get the validated balance. Along with these seasonal threats retail networks have now become the prime commercial target for ransomware attacks, as their complex supply chains make them fertile ground for distributed ransomware to extract pay-outs from major business partners in the supply chain.
Retailers now face the challenge of deciding how many resources to spend on cybersecurity at a time when their resources are committed to maximizing revenue from seasonal shopping. By evading the problem, retailers will leave themselves open to damaged brand image and lost revenues that will extend well beyond the festive season.
Even if resources are limited, it’s essential that companies take some basic precautions immediately. Tweak and heighten fraud checks on buyer payment cards. Enforce verification methods for returns and chargebacks to prevent fraudulent refund requests being successful. For gift card generators, replace online balance checks with phone value checks. On the other hand, companies that wish to keep the online interface should increase gift card structure complexity and implement strong and secure CAPTCHA tests to prevent automatized checking.
Retailers that can commit more substantial resources to protecting themselves and their customers will reap a high ROI having avoided substantial revenue loss, irreparable brand damage, loss of customer confidence, and compromised relationships with business partners.
Reuben Braham, vice president of marketing, Cyberint