The retail industry is a prime target for cybercriminals due its vast attack surface and the growing complexity around securing sensitive data. The pandemic has increased the industry’s attack surface as online shopping and cashless transactions have made it harder for companies to keep up with the already complex regulatory requirements of Payment Card Industry Data Security Standard (PCI DSS) and the PCI Software Security Framework (SSF).
VerSprite’s Offensive Security consultants have compiled a living retail security attack tree and other resources to help equip retail organizations with a granular view of the ever-evolving threat landscape. This article provides further details into the most impactful security risks mapped within our retail attack tree.
• Insider Threats
• Insecure IoT devices
• Disruption to Business Operation
• Information Theft
• Retail Product, Capital, or Financial Theft
Preventing attacks starts with understanding your environment. This includes identifying all your assets (physical, digital, and technical) and each of the vulnerabilities they entail. Often, threats to the retail sector focus on information theft and card fraud. Attackers have evolved their techniques so retail cyberattacks not only affect customer data, but DDoS attacks, ransomware/malware/spyware, and other attacks can wreak havoc on daily operations. Website outages and disruptions to a retailer’s supply chain can hinder shipments, leaving physical and online retailers without goods to sell.
This is more than just a nuisance and can ultimately lead to businesses shutting down.
Retail industry physical assets include personnel, third-party vendors, IoT devices, POS systems, and facilities.
Retail personnel are a valuable vector for attack because of their access to sensitive data and trust within the organization. Employees are generally encouraged to be helpful, an ideal characteristic for social engineers looking to trick them. Personnel may very easily, but accidentally, set off a string of events that leads to a breach, simply by doing their job. Threat actors targeting Retail often seek to impersonate executives or convert employees to insider threats.
Impersonation may be attempted through the theft of authorization badges, social engineering, or disguises. Threat actors often impersonate executives and, for retail organizations with multiple locations, disguise themselves as employees visiting from another location. Aside from impersonation, we have seen an increase in threat actors targeting personnel to convert employees to insider threats using blackmail, imitation, or even unwittingly through spear phishing, social media intelligence (SOCMINT), or other social engineering techniques. A lack of training to identify modern social engineering has significantly hurt retail organizations.
Criminals also seek to infiltrate retail organization through other physical assets, such as suppliers, contractors, and third-party vendors. Third-party vendors are often used to facilitate payment transactions, and extra security precautions, like two-factor authentication, are rarely implemented because retailers want the payment process to be as seamless as possible. This has created a fertile environment for cyber criminals looking to attack.
Additionally, suppliers post just as much risk. A manufacturer outside of the US can simply insert a USB to install ransomware or other malware on all systems to the targeted retail organization. Attackers may also pose as vendors in social engineering attacks, capitalizing on the good nature of employees to gain access to restricted systems or data. Ransomware can also be spread through this attack vector, taking valuable data hostage, or even destroying it.
The most common hardware endpoints in any enterprise environment are individual employee devices. The proliferation of working from home has only enhanced this vulnerable attack vector, because many employees mix personal and professional activities across devices, presenting more opportunities for attacks and pivoting. Even under ideal conditions, this can provide unique challenges in ensuring security of business resources and data integrity and confidentiality.
One technique, drive-by downloads, can install malware on a device without the user’s knowledge or consent. Simply visiting the wrong link may be enough to expose the company to risk. This tactic is often used to gain access to the network, email, servers, and other devices where an attacker will attempt to steal and exfiltrate data out of the company’s network. A modern example of this is when Target was compromised after a third-party vendor’s device was hacked from a phishing email.
Attackers can even target the HVAC system of an organization to perform network traversal, gain remote access, or collect data. This is largely due to the prolific use of IoT devices which can be difficult to update/upgrade, making them vulnerable to attack.
Threat actors can also configure wireless access points with billing portals. This is critical because so many employees work remotely and use public WIFI. Additionally, man in the middle attacks (MITM), where an attacker secretly places themselves in the communication between two parties, can take place anywhere at any time on public WIFI.
Facilities are often duplicated across multiple locations, giving many points of access. This duplication presents opportunities for testing and replicating attacks throughout the environment, and can create opportunities for theft of devices, or other methods of acquisition as devices are sent out for repairs, replacement, etc. Thus, allowing opportunities to look for vulnerabilities in devices which may not be widely accessible.
Other facility assets attacked are teller machines and cameras. Teller machines are attacked for destruction, robbery, or social engineering attempts whereas cameras are attacked for obfuscation and destruction.
Self-check-out stations, point-of-sale devices (POS), or terminal machines are prime targets to distribute malware, infiltrate a network, or use card skimmers to steal card data. According to a joint study from Cornell and FreedomPay, approximately 30% of companies have experienced a data breach, of which nearly 90% were attacked again within a year. The data gathered can be monetized in multiple ways, including selling it back to marketing companies. So, even if card data is not stolen, hackers can still turn a profit on other consumer data collected.
Retail organizations are a gold mine for data collection because millions of customers nearly always provide their basic contact and card information during the checkout process. Threat actors can use this data to gain unauthorized access to the target, sell it to other malicious users, or use it to personally target victims for the sake of financial gain. Target, T-Mobile, and many other retailers have fallen victim in a big way.
“The latest research from Accenture found that in spite of the increasing rate of data breaches, 55% of organizations surveyed don’t have the capacity to mitigate attacks or detect cyber threats.”
The retail industry relies heavily on online assets, such as eCommerce websites and mobile applications, to promote and facilitate sales to customers. This heavy digital footprint leaves retail organizations exposed to an increased risk of cyberattacks.
Websites are available 24/7, giving attackers ample time to find weaknesses to exploit. Because they often host transaction pages and e-commerce, websites are a prime target for data theft, card information, and product theft. Bot attacks against retail organization websites are prevalent and sophisticated, allowing them to evade common security defenses and takeover accounts. While website misconfigurations can be exploited through cross site scripting.
Attackers are also known to create fake advertisements on search engine ads and social media intended to look like legitimate business services, directing would-be shoppers to false storefronts for the purposes of stealing card data and spreading malware/spyware/ransomware. Victims could be directed to fake payment processing pages that appear to be the correct site. In the best of these attacks, the card information is lifted during the transaction while elements of the legitimate site are preserved, including the customer receiving the purchased items. In other attacks where customer accounts are hijacked, criminals often place orders using stored card information or change pending shipments to in-store pickup. These clandestine operations allow criminals to go unnoticed and uncaught.
Retail companies are not the only ones subject to retail website fraud. Software developers and technology manufacturers that have eCommerce sites are also at risk. For example, there are many fake portals to download Microsoft Teams and receive a version of Teams bundled with a side of malware. This two-for-one special is an increasingly common attack that we see on search engine ads and popular social media platforms. Companies should monitor major keyword results on search engines to catch these scams.
Mobile applications are pervasive. Thousands are created daily with little to no regulations on the security measures or legitimacy of each app. This creates a near endless list of potential targets and attack venues. Fake apps are designed to impersonate legitimate apps, credentials are obtained using malvertising links, and APIs can be exploited. Companies with and without mobile applications should monitor popular app stores, search engine results, and social media for signs of fraudulent apps and advertisements.
Retail technical assets include databases, servers, and satellite offices. Though less accessible than physical or digital assets, they are vulnerable, and an attack could harm operations for all locations.
Network databases are often targeted because they can be used to distribute malware campaigns to entire retail organizations, to further illicit access, and to carry out DDoS attacks. Database storage needs to be protected and monitored for data theft attempts, data modifications, and espionage.
When servers are attacked, they are often used to pivot into further IT assets, to conduct espionage operations, steal data, and/or distribute malware. Servers are also targets for DDoS attacks, which can prevent business transactions and cause significant loss in revenue. Over the last year, the retail industry has experienced the highest volume of DDoS attacks per month of all industries.
One often overlooked area is a company’s satellite offices. While they are separate and often use their own resources, these offices can be used to attack company-wide assets. Areas of high concern are the networks and the logins of satellite offices. Login credentials can be stolen via phishing campaigns, cross-scripting (XSS) attacks, or form jacking. Once these logins are obtained, they can be used by an attacker to move further through networked resources or for the distribution of malware.
Retail organizations have a variety of predators, each with their own motives. Though data collection is the most common goal for retail cyber attacks, why they want it varies. Individuals, organized crime, competitors, hacktivists, and state sponsored organizations can execute a plethora of attacks to meet their needs.
Retail organizations have experienced tremendous virtual growth over the last few years. As they adopt new business models and create a more intricate online presence, it is critical they build and maintain a strong security program, physically and virtually.
Using outside security consulting companies like VerSprite to support and expand the in-house security and IT teams efforts is the most effective way to ensure company data remains secure. We have shown success using an organizational approach to protecting retail organizations that assess and prioritize risks unique to the business impact, using methods such as organizational threat models, red teaming, vSOC monitoring, advanced penetration testing, and security awareness training. Threat actors will still attack retail organizations, but with a holistic and offensive security program in place, their level of success decreases substantially.
Our team does extensive work with the retail industry. To give back, we host a living attack tree and security vignette free to download. These resources are updated yearly with the most modern and impactful threats, attack surfaces, attack scenarios, and exploitable vulnerabilities our team sees. Visit our GitHub or Retail Security Hub to download these files.