Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/20/2019
07:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

As Retailers Prepare for the Holiday Season, So Do Cybercriminals

Online shoppers need to be wary about domain spoofing, fraudulent giveaways, and other scams, ZeroFOX study shows.

Retailers aren't the only ones looking forward to a busy holiday shopping season this year. So are cybercriminals.

With all signs pointing to another record-breaking year for online merchants, crooks have begun ramping up their efforts to divert dollars their way via malicious domains, coupons, gift card scams, counterfeit goods, and other means.

Security vendor ZeroFOX recently analyzed threat data gathered from its retail customers over a period of 12 months. Data was analyzed across assets that a retailer wanted monitored, such as specific domains, brands, high-value executives and employees. For purposes of the research, ZeroFOX also gathered data from social media platforms, web marketplaces, the Dark Web, mobile app stores, and other sources.

ZeroFOX's analysis showed that retailers face a diverse and multifaceted threat landscape, says Ashlee Benge, a threat researcher at ZeroFOX. Most threats attempt to abuse the brand in some way. But the way it happens varies widely, she says. "The diversity in this landscape makes it more difficult for retailers to defend themselves and their brands from these attacks," Benge says.

Domain-based attacks top the list of threat that retailers — and, by extension, consumers — face this shopping season. These are attacks where threat actors set up websites that are spoofed to look like the domains of popular brands — and where users can land if, for example, they make a single typo or misspelling when entering the URL of the original sites. Users tricked into interacting with these domains can end up giving up account and payment card information and other sensitive data.

Ninety-two percent of the nearly 1.4 million alerts involving retail customers that ZeroFOX encountered last year involved domain-related issues. On average, ZeroFOX generated over six domain alerts per asset monitored, per day, over the 12-month period.

"A domain alert would be an alert indicator to possible impersonation or infringement of a brand, a product, or other asset," Benge says. "The findings showed this to be the most common alert type with a very significant number of these per legitimate instance of the underlying brand, product, etc.," she notes. The high incidence of these attacks makes it imperative for retail organizations to monitor domains related to their brands.

Proactive retailers can request takedown of domains that abuse their brand though the actual time needed to accomplish that can vary with hosts, networks, and registrars, Benge says. Retailers attempting to takedown spoofed domains can sometimes find the process takes longer than expected, and they end up being frustrated.

Fraudulent Giveaways and Brand Impersonation
Fraudulent giveaways, coupons, and gift cards are another major concern, as are counterfeit goods. ZeroFOX counted 2,900 such scams across its retail customer base over the last year — or roughly five scam alerts per brand asset monitored. Of these, 86% were giveaway scams, where users are tricked into parting with sensitive personal information under the belief they will get free holiday gifts, gift cards, or other products in exchange.

Here again, though it is not the retailer that is directly responsible for the scam, victims can often end up blaming them by association, according to ZeroFOX. "When scams and counterfeits are identified, particularly on social media platforms, the retailer has the right to request takedown of the content," Benge says. But as with domain takedown requests, content removal request can be an arduous process, depending on the volume of content, she says.

Brand impersonation is another issue that could trip up holiday shoppers this year. ZeroFOX identified over 33,000 instances where attackers tried to impersonate a brand by mimicking its pages, logos, and images in order to trick users. It counted another nearly 9,000 instances of executive impersonation among customers in the retail sector.

Impersonation accounts are often used to promote phishing campaigns and other scams such as directing users to sites that download malware. "By impersonating well-known individuals like executives, attackers are able to establish credibility and gain access to a wider pool of potential victims than they would be able to otherwise," Benge says.

Another report from One Identity this week shows that online scammers are not the only concern for retailers. The report, based on a survey of over 1,000 IT professionals, says that retailers feel most at risk compared with other organizations, from unsecured third-party access.

Nearly three in 10 retailers in the survey said that a third-party — such as a supplier or business partner — had successfully accessed files they were not supposed to, and 25% admitted to giving all third parties privileged access to their systems.

Todd Peterson, security evangelist at One Identity, says the reason why retailers likely feel this way is because of high employee turnover, a lot of seasonal workers, and a heavy reliance on third parties for key business operations that cannot be staffed at each retail location.

"The nature of their workforce and the fact that they are typically not in business for data security is the biggest factor that puts them at risk," Peterson says. "Basic security practices such as managing third-party access or deprovisioning users is often forgotten about from an operational standpoint, which puts most retailers at a higher risk."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How Medical Device Vendors Hold Healthcare Security for Ransom."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.
CVE-2019-19230
PUBLISHED: 2019-12-09
An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.