Risk intelligence firm, Flashpoint has observed an increase in chatter relating to cybercriminals targeting retailers during the holiday season due to an increase in online and in-store consumer spending.
Retailers store an abundance of personally identifiable information (PII) – customer financial data, customer data, login credentials and passwords, credit card information, personal details such as addresses and phone numbers, and more – making them valuable targets for threat actors.
During the holiday season, the retail sector is a primary target for financially motivated threat actors.
Refund Fraud – Refund-as-a-service
Flashpoint analysts have found an alarming volume of discussion around ‘refund fraud’, as well as a recent increase in offerings of refund-as-a-service, where a threat actor will secure a fraudulent refund on behalf of their ‘buyers’.
“The threat actors charge a percentage of the order or return total for their service. To improve their methods of manipulating customer service departments and bypass refund policies, threat actors also share their experiences with specific retailers inside of their illicit communities and forums.
“General social-engineering techniques, for example ‘the item did not arrive’ or ‘the box was empty’ will likely continue to be used, while Flashpoint analysts have observed ‘fake tracking ID’ (FTID) as one of the most highly discussed methods, despite being regarded as one of the most difficult to carry out.”
Credit card, gift card and payment fraud
‘Card Not Present’ fraud allows threat actors to acquire large quantities of stolen cards and credentials to fund illegitimate purchases, or even resell them to criminals known as ‘carders’.
“These carders then leverage the exposed data via cad cloning or digital shopping account linking. Threat actors can obtain this data if it has been inadvertently leaked, for example – via a misconfigured network device. Threat actors may also target financial records and other PII from poorly secured websites or compromised bank logs to access financial information.
“Threat actors have been noted by Flashpoint analysts to advertise gift card services online within their illicit communities. They acquire goods using high-value gift cards purchased with stolen credit cards and sell them on at a discount.”
Content management systems
Flashpoint analysts have observed a number of advertisements for access to e-commerce content management systems (CMS).
“Given the increase in shopping during the holiday season, threat actors will likely exploit this access to harvest customer information stored within CMS panels, including credit card or payment information.
“While Flashpoint has witnessed threat actors auctioning access to a variety of retailers globally, they have been most commonly observed in English-language forums – reiterating the need for Australia to be proactive in defence.”
Social engineering
During the holiday shopping season, Flashpoint analysts warn it is highly likely threat actors will send consumers phishing email and text messages masquerading as legitimate advertisers or customer service-related emails from retailers.
“These engineered messages or emails are used to pressure consumers into disclosing sensitive information such as credit card data and banking details by offering fake benefits like discounts or merchandise.”
Physical security
With many retailers and consumers taking advantage of the hybrid shopping experience, click-and-collect and in-store pickup are potential targets for fraud.
“This method involves the use of a stolen payment card to place an order for collection. Flashpoint analysts have observed threat actors advertising ‘curbside methods’ within illicit communities targeting large retailers and their pick-up services.
“On November 15, Flashpoint analysts observed a threat actor advertising their curbside method – whereby they charge 50% of the total cost of the item that will be acquired.”
How to mitigate potential threats
There are a number of ways to mitigate potential threats. Retailers can limit the amount of time they are willing to accept holiday period shopping returns, effectively shrinking the fraud window and therefore, the number of fraudulent returns.
“Retailers should implement multi-factor authentication (MFA) and encourage consumers to enable MFA for retailer-specific accounts as well as with their financial institutions that enable payments. Contactless payment is more secure because payments generally require biometric scanning, a passcode, or a one-time code in order to carry out a transaction.
“Employee training is one of the most useful ways for setting a baseline of security best practice. Proper password hygiene is key – employing strong passwords and regularly changing passwords.”