Experiential retail capitalizes on millennials’ preference for engaging experiences as a key element of shopping, whether in-store or online over strictly product shopping.
However, these experiential elements depend on IoT and other technologies that use open wireless networks — a big security issue since these devices could expose vulnerable attack points, in addition to today’s emerging cyber threats and expanding attack vectors. Retail security executives have their jobs cut out for them.
Two Major Emerging Threats
The first, Magecart, occurs when hackers embed malicious computer code into retail websites to steal customers’ credit card data at the checkout page. Magecart attackers target either high volume-low value sites (i.e., more sites but each having fewer customers and thus fewer cards) or low volume-high value sites (such as Ticketmaster and British Airways), which provide bigger rewards due to the larger number of customers.
The second, nation-state threat actors — while traditionally politically or ideologically inspired — now also include financially motivated groups who target retailers with remote access trojans (RAT) to access their point-of-sale systems and networks. These cybercriminals used to favor ransomware attacks but now deploy phishing campaigns that lure victims with documents containing the target’s logo and familiar branding elements.
When retailers let their guard down, attackers remotely access and move within the target network to easily conduct point-of-sale systems fraud or gain competitive intelligence and intellectual property to acquire an unfair advantage.
More and More Imaginative Attack Vectors
Highly sophisticated attackers can target the supply chain of large online retailers by bypassing their sites’ countermeasures, injecting malicious code into advertising providers’ or web analytic companies’ legitimate and trusted scripts to streamline customer payment card data theft.
Credential stuffing happens when attackers steal account credentials such as usernames and/or email addresses and the corresponding passwords to access user accounts through large-scale automated login requests directed against a web application.
Means to profit contains many different possibilities, including threat actors monetizing their findings by reselling the details or directly abusing the account’s privileges. Fraud arising from use of leaked credentials exposes retailers to fulfillment of fraudulent orders — ordering goods with stolen cards or create fraudulent transactions to drive refund scams. They also purchase and resell of gift cards or other electronic goods using legitimate credit cards and user details bought on underground marketplaces or legitimate trading/auction platforms.
Watch: What You Need To Know About Cybersecurity
Based on how far they have infiltrated the retailers’ systems, they can use forged receipts to conduct refund/return scams whereby retailers and brands issue replacement goods prior to faulty goods being returned.
Retailers are under attack by DDoS ransom attempts. Unless an organization has a well-proven DDoS mitigation system in place, DDoS attack extortion can be quite profitable and requires no formal hacking, simply the rental of an inexpensive botnet on the dark web.
Retailers are also fighting these battles:
Mobile apps: According to CyberInt’s research analysts, there’s been an increase of more than 300 percent in fake and malicious brand-abusing apps. These are often targeted at customers rather than the enterprise itself, although the retailer suffers brand reputation damage when customers are tricked into installing malicious apps or lured by phishing emails.
POS malware and compromised devices: Inspired by the success of Magecart, these malware threaten brick-and-mortar retailers with easy exfiltration of payment card data. The cybercriminals can buy affordable malware that they use to access legitimate POS terminals that have been modified to save or exfiltrate payment card data.
The easy availability of hardware skimmers with traffic sniffing capabilities to capture GSM traffic originating from a POS device without the need for physical contact adds to their bottom lines.
With a growing list of new and proven attack vectors, retail cybersecurity is imperiled as never before. Retailers will have to turn to a multi-layered, real-time cyber protection that stays well ahead of hackers, one that steps into the cyber attacker’s shoes, monitors all digital activities, and stops the threats before they materialize.
Itay Yanovski is co-founder and senior VP strategy at CyberInt, a provider of digital protection for the retail, e-commerce, gaming and financial industries.