Retailers aren't the only ones looking forward to a busy holiday shopping season this year. So are cybercriminals.

With all signs pointing to another record-breaking year for online merchants, crooks have begun ramping up their efforts to divert dollars their way via malicious domains, coupons, gift card scams, counterfeit goods, and other means.

Security vendor ZeroFOX recently analyzed threat data gathered from its retail customers over a period of 12 months. Data was analyzed across assets that a retailer wanted monitored, such as specific domains, brands, high-value executives and employees. For purposes of the research, ZeroFOX also gathered data from social media platforms, web marketplaces, the Dark Web, mobile app stores, and other sources.

ZeroFOX's analysis showed that retailers face a diverse and multifaceted threat landscape, says Ashlee Benge, a threat researcher at ZeroFOX. Most threats attempt to abuse the brand in some way. But the way it happens varies widely, she says. "The diversity in this landscape makes it more difficult for retailers to defend themselves and their brands from these attacks," Benge says.

Domain-based attacks top the list of threat that retailers — and, by extension, consumers — face this shopping season. These are attacks where threat actors set up websites that are spoofed to look like the domains of popular brands — and where users can land if, for example, they make a single typo or misspelling when entering the URL of the original sites. Users tricked into interacting with these domains can end up giving up account and payment card information and other sensitive data.

Ninety-two percent of the nearly 1.4 million alerts involving retail customers that ZeroFOX encountered last year involved domain-related issues. On average, ZeroFOX generated over six domain alerts per asset monitored, per day, over the 12-month period.

"A domain alert would be an alert indicator to possible impersonation or infringement of a brand, a product, or other asset," Benge says. "The findings showed this to be the most common alert type with a very significant number of these per legitimate instance of the underlying brand, product, etc.," she notes. The high incidence of these attacks makes it imperative for retail organizations to monitor domains related to their brands.

Proactive retailers can request takedown of domains that abuse their brand though the actual time needed to accomplish that can vary with hosts, networks, and registrars, Benge says. Retailers attempting to takedown spoofed domains can sometimes find the process takes longer than expected, and they end up being frustrated.

Fraudulent Giveaways and Brand Impersonation
Fraudulent giveaways, coupons, and gift cards are another major concern, as are counterfeit goods. ZeroFOX counted 2,900 such scams across its retail customer base over the last year — or roughly five scam alerts per brand asset monitored. Of these, 86% were giveaway scams, where users are tricked into parting with sensitive personal information under the belief they will get free holiday gifts, gift cards, or other products in exchange.

Here again, though it is not the retailer that is directly responsible for the scam, victims can often end up blaming them by association, according to ZeroFOX. "When scams and counterfeits are identified, particularly on social media platforms, the retailer has the right to request takedown of the content," Benge says. But as with domain takedown requests, content removal request can be an arduous process, depending on the volume of content, she says.

Brand impersonation is another issue that could trip up holiday shoppers this year. ZeroFOX identified over 33,000 instances where attackers tried to impersonate a brand by mimicking its pages, logos, and images in order to trick users. It counted another nearly 9,000 instances of executive impersonation among customers in the retail sector.

Impersonation accounts are often used to promote phishing campaigns and other scams such as directing users to sites that download malware. "By impersonating well-known individuals like executives, attackers are able to establish credibility and gain access to a wider pool of potential victims than they would be able to otherwise," Benge says.

Another report from One Identity this week shows that online scammers are not the only concern for retailers. The report, based on a survey of over 1,000 IT professionals, says that retailers feel most at risk compared with other organizations, from unsecured third-party access.

Nearly three in 10 retailers in the survey said that a third-party — such as a supplier or business partner — had successfully accessed files they were not supposed to, and 25% admitted to giving all third parties privileged access to their systems.

Todd Peterson, security evangelist at One Identity, says the reason why retailers likely feel this way is because of high employee turnover, a lot of seasonal workers, and a heavy reliance on third parties for key business operations that cannot be staffed at each retail location.

"The nature of their workforce and the fact that they are typically not in business for data security is the biggest factor that puts them at risk," Peterson says. "Basic security practices such as managing third-party access or deprovisioning users is often forgotten about from an operational standpoint, which puts most retailers at a higher risk."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How Medical Device Vendors Hold Healthcare Security for Ransom."