+44 (0)1271 866 112
Latest Issue: Nov/Dec 17

It's the Riskiest Time of Year for Retailers

The 2017 holiday season is expected to be a busy time for retailers, with analysts predicting an average of £1bn per day in UK online spending during the seven days surrounding Black Friday. This will be followed by the frantic remainder of the holiday season, as even more shoppers hunt out perfect gifts and generate substantial sales for the retail industry.

While consumers are busily shopping and preparing for the festivities, this spike in business during the holidays makes retailers particularly susceptible to malicious cyber activity. Not only does the retail sector face evolving threats from cybercriminals and fraudsters seeking the conventional target of customer data, it is also susceptible to risks from adversaries who aim to disrupt retailers themselves.

A perfect gift for cybercriminalsThe retail sector’s prominence reaches its annual peak during the holiday season. The sheer scale of the opportunity for fraud, data theft and general disruption around this time tends to be highly attractive for cybercriminals. Although motives can vary, most adversaries seek financial gain -- either through various types of fraud or by stealing customer information and selling it on the Deep & Dark Web.

Statistics show that the retail sector is one of the most regularly targeted industries, and the price organisations pay following an incident can be substantial. A recent survey by PWC found that retailers reported on average 4000 security incidents per year, with 16per cent of cyberattacks resulting in losses of more than £1million. On top of the operational damage caused by cyberattacks, retailers also risk compromising their reputations in a world where consumers are becoming increasingly aware of the sanctity of their personal data.

Following several high-profile data breaches in 2013, many retailers strengthened security measures and ultimately made it more difficult for cyber adversaries to obtain customer data. In response, many of these adversaries have since turned their attention away from consumers in favour of targeting the retailers themselves.

Black Fraud DayFraud management specialists refer to Black Friday as Black Fraud Day. Indeed, the substantial spike in transactions has long been known to generate interest among fraudsters. While unsophisticated carding and ATM-skimming tactics are on the wane in the face of improved security measures, more sophisticated and scalable tactics are emerging from the Deep & Dark Web.

In one example, our analysts uncovered a plot to exploit the rollout of the Europay MasterCard Visa (EMV) in the U.S. Threat actors had developed EMV-chip recording software and manufacturing techniques capable of producing cards capable of bypassing even the most robust anti-fraud measures. Fortunately, the plot was uncovered before it could be executed. Our team then advised financial institutions and retailers alike on how to adjust their anti-fraud measures to foil the fraudsters.

Securing the supply chainSupply chain efficiency is vital for large retailers; outsourcing some if not all supply chain and logistics activities can deliver valuable commercial benefits. However, outsourcing also increases a company’s exposure to risk, as they relinquish the ability to maintain detailed oversight and full control of the processes, procurement strategies, and security measures contracted to third-parties.

As one potential repercussion, retailers may not be aware of flawed manufacturing practices, insufficient quality controls, or other errors that could lead to security weaknesses within their sales inventory. Depending on the severity of the issue, such weaknesses could require product recalls, make consumers susceptible to various security risks, or harm the retailer’s brand reputation-- all of which could lead to substantial financial damages.

In one instance, our analysts identified a supply chain vulnerability that rendered millions of consumer electronics goods vulnerable to compromise by the Mirai botnet and subsequent DDoS attacks. Our team traced the issue to one upstream supplier contracted by many leading retailers to manufacture components of certain electronics goods they sell. We then advised retailers and manufacturers alike so they could patch the vulnerability, issue product recalls as necessary, and work with upstream suppliers to enforce stricter quality controls and security measures to help prevent future issues from arising.

Retailers held to ransomThere’s no doubt that 2017 has been a big year for ransomware -- a threat that can be particularly challenging for retailers during the holidays. Indeed, cybercriminals have been known to target companies at critical periods during their annual business cycle to maximise disruption and the chance of ransoms being paid.

In one instance, our analysts uncovered a plan during the 2016 holiday season that sought to infect retailers with the infamous Locky ransomware via phishing emails disguised as payment invoices—a tactic that has been devastatingly effective in the past. Fortunately, our intelligence enabled retailers to take countermeasures to protect their networks and ensure that employees didn’t get duped by the phishing emails.

The holiday season remains one of the busiest times of year for retailers and cybercriminals alike. However, leveraging Business Risk Intelligence gleaned from the Deep & Dark Web communities where cybercriminals develop their schemes can help the retail sector gain a decision advantage over these adversaries and ultimately ensure that customers enjoy a happy holiday season.  

by Vitali Kremez, Director of Research, Flashpoint