Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/20/2019
07:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

As Retailers Prepare for the Holiday Season, So Do Cybercriminals

Online shoppers need to be wary about domain spoofing, fraudulent giveaways, and other scams, ZeroFOX study shows.

Retailers aren't the only ones looking forward to a busy holiday shopping season this year. So are cybercriminals.

With all signs pointing to another record-breaking year for online merchants, crooks have begun ramping up their efforts to divert dollars their way via malicious domains, coupons, gift card scams, counterfeit goods, and other means.

Security vendor ZeroFOX recently analyzed threat data gathered from its retail customers over a period of 12 months. Data was analyzed across assets that a retailer wanted monitored, such as specific domains, brands, high-value executives and employees. For purposes of the research, ZeroFOX also gathered data from social media platforms, web marketplaces, the Dark Web, mobile app stores, and other sources.

ZeroFOX's analysis showed that retailers face a diverse and multifaceted threat landscape, says Ashlee Benge, a threat researcher at ZeroFOX. Most threats attempt to abuse the brand in some way. But the way it happens varies widely, she says. "The diversity in this landscape makes it more difficult for retailers to defend themselves and their brands from these attacks," Benge says.

Domain-based attacks top the list of threat that retailers — and, by extension, consumers — face this shopping season. These are attacks where threat actors set up websites that are spoofed to look like the domains of popular brands — and where users can land if, for example, they make a single typo or misspelling when entering the URL of the original sites. Users tricked into interacting with these domains can end up giving up account and payment card information and other sensitive data.

Ninety-two percent of the nearly 1.4 million alerts involving retail customers that ZeroFOX encountered last year involved domain-related issues. On average, ZeroFOX generated over six domain alerts per asset monitored, per day, over the 12-month period.

"A domain alert would be an alert indicator to possible impersonation or infringement of a brand, a product, or other asset," Benge says. "The findings showed this to be the most common alert type with a very significant number of these per legitimate instance of the underlying brand, product, etc.," she notes. The high incidence of these attacks makes it imperative for retail organizations to monitor domains related to their brands.

Proactive retailers can request takedown of domains that abuse their brand though the actual time needed to accomplish that can vary with hosts, networks, and registrars, Benge says. Retailers attempting to takedown spoofed domains can sometimes find the process takes longer than expected, and they end up being frustrated.

Fraudulent Giveaways and Brand Impersonation
Fraudulent giveaways, coupons, and gift cards are another major concern, as are counterfeit goods. ZeroFOX counted 2,900 such scams across its retail customer base over the last year — or roughly five scam alerts per brand asset monitored. Of these, 86% were giveaway scams, where users are tricked into parting with sensitive personal information under the belief they will get free holiday gifts, gift cards, or other products in exchange.

Here again, though it is not the retailer that is directly responsible for the scam, victims can often end up blaming them by association, according to ZeroFOX. "When scams and counterfeits are identified, particularly on social media platforms, the retailer has the right to request takedown of the content," Benge says. But as with domain takedown requests, content removal request can be an arduous process, depending on the volume of content, she says.

Brand impersonation is another issue that could trip up holiday shoppers this year. ZeroFOX identified over 33,000 instances where attackers tried to impersonate a brand by mimicking its pages, logos, and images in order to trick users. It counted another nearly 9,000 instances of executive impersonation among customers in the retail sector.

Impersonation accounts are often used to promote phishing campaigns and other scams such as directing users to sites that download malware. "By impersonating well-known individuals like executives, attackers are able to establish credibility and gain access to a wider pool of potential victims than they would be able to otherwise," Benge says.

Another report from One Identity this week shows that online scammers are not the only concern for retailers. The report, based on a survey of over 1,000 IT professionals, says that retailers feel most at risk compared with other organizations, from unsecured third-party access.

Nearly three in 10 retailers in the survey said that a third-party — such as a supplier or business partner — had successfully accessed files they were not supposed to, and 25% admitted to giving all third parties privileged access to their systems.

Todd Peterson, security evangelist at One Identity, says the reason why retailers likely feel this way is because of high employee turnover, a lot of seasonal workers, and a heavy reliance on third parties for key business operations that cannot be staffed at each retail location.

"The nature of their workforce and the fact that they are typically not in business for data security is the biggest factor that puts them at risk," Peterson says. "Basic security practices such as managing third-party access or deprovisioning users is often forgotten about from an operational standpoint, which puts most retailers at a higher risk."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How Medical Device Vendors Hold Healthcare Security for Ransom."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
fredluis
50%
50%
fredluis,
User Rank: Apprentice
12/17/2019 | 10:09:41 PM
Re: As Retailers Prepare for the Holiday Season, So Do Cybercriminals
This is one of the good articles you can find in the net explaining everything in detail regarding the topic. I thank youfor taking your time sharing your thoughts and ideas to a lot of readers out there.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13295
PUBLISHED: 2020-08-10
For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd with a malicious server, the Shared Runner is susceptible to SSRF.
CVE-2020-6070
PUBLISHED: 2020-08-10
An exploitable code execution vulnerability exists in the file system checking functionality of fsck.f2fs 1.12.0. A specially crafted f2fs file can cause a logic flaw and out-of-bounds heap operations, resulting in code execution. An attacker can provide a malicious file to trigger this vulnerabilit...
CVE-2020-6145
PUBLISHED: 2020-08-10
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2020-8224
PUBLISHED: 2020-08-10
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory.
CVE-2020-8229
PUBLISHED: 2020-08-10
A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system.