Blog_Header.jpg

IntSights' Blog

The Top 5 Ways Retailers Will Be Scammed This Holiday Season

by Ariel Ainhoren / November 6, 2018

Now that Halloween is over, we can officially begin the holiday season! That means retailers are gearing up with new ad campaigns, seasonal hiring and special holiday deals. It also means that cybercriminals are gearing up with new strategies and tactics for how to scam retailers and unknowing consumers. As we observed in our Retail Threat Landscape Report (October 2018), there are a number of new channels that cybercriminals are using to run their campaigns.

To stay safe this holiday season, both retailers and consumers must be vigilant for new cyber scams and cautious of how they are engaging online. Here are the top 5 ways retailers and consumers will be scammed this holiday season.

#1: Social Media

In Q4 2017, we observed a 345% spike in fake social media pages being created. Cybercriminals attempt to impersonate popular brands on social media in hopes of engaging with unknowing consumers and phishing personal or credit card details from them.

While Facebook, Twitter and LinkedIn are the most popular channels, we’ve also seen these scams extend to new social media channels, like Pinterest and Instagram. Consumers need to be aware of these schemes and make sure the accounts they engage with are verified, have an expected number of followers, and have clear indications they are associated with the legitimate company or brand.

At the same time, retailers must vigilantly monitor social media sites to identify pages that attempt to mimic their brand. The process of identifying malicious pages can be difficult, but there are many tools you can use to ensure you spot and takedown these fake profiles.

#2: Mobile Application Stores

Just like we observed a spike in fake social media pages last holiday season, we observed a similar trend for fake mobile applications. In fact, we saw a 469% increase in suspicious mobile applications in Q4 of 2017 (compared to the previous quarter). Cybercriminals lure users to download these apps with promises of deals or disguised as a company’s legitimate mobile app. Once installed, these apps can do a variety of malicious tasks, like log keystrokes, steal personal information saved on the device, or even run crypto-mining software.

#3: Account Takeover

This type of attack has seen a huge increase in recent years. It involves hacking into real customer accounts with pre-loaded balances or saved credit cards to purchase goods or transfer balances to another account.

Fraudsters recognize the potential of using a compromised account because it’s less risky and they don’t need to use a stolen credit card to make purchases. Having the account information makes them look more like a good shopper and increases the likelihood of success. These fraudsters may also take advantage of loyalty accounts to redeem reward points or miles without needing additional credit card information.

These types of attacks are both particularly hard to detect and very damaging. Detection requires smart systems and an ability to verify the customer before he or she reaches the checkout phase. Finding the right balance between low friction and high security can be difficult. But it’s extremely important, because a compromised account will seriously hamper customer satisfaction. Shoppers whose accounts are hacked are likely to be very unhappy, blaming the merchant and possibly voicing that dissatisfaction to friends or through social media. Tracking the selling of these accounts in black markets can stop the fraud attempt before it launches and alert the client to his breached account before its being used.

#4: Buy Online, Pickup In Store (BOPIS) Fraud

BOPIS was a very safe channel not that long ago, but we’ve seen fraud rates rapidly increase here. This is a classic pattern with fraud—where legitimate shoppers go, fraudsters follow.

Fraudsters use stolen credit cards or compromised accounts of merchants with a physical store either near them or their “customer.” They then place the order and select quick BOPIS fulfillment. They then either pay “mules” a reasonable fee to pick up and reship the goods, pick up the items themselves (perhaps with a fake ID) or direct their “customers” to retrieve their purchases.

You might think this method would pose a larger risk to fraudsters, as it requires them to physically visit the location to pick up the item. But keep in mind, retailers have implemented BOPIS to give customers access to their goods faster, meaning there is less time to identify a fraudulent transaction. BOPIS fulfillment can be as short as one hour, and fraudsters try to take advantage of this quick turnaround to pick up their goods before the fraud is identified. Additionally, they’re picking up items from store associates who often aren’t trained in loss prevention and want to make their customers happy. A quickly made fake ID may be more than enough to overcome any attempt to verify the customer.

#5: Fraud Automation Tools

As the cybercrime industry has matured, we’ve seen more and more automation appear in the form of hacking tools. This is particularly threatening for retailers for a variety of reasons:

  1. They allow fraud campaigns to be run faster
  2. They allow novice hackers (with limited technical knowledge) to run their very own cyber campaign
  3. The people who develop these tools often leave backdoors to access the stolen data, so as the campaign is run by more threat actors, it becomes a “distribution channel” of data for the hacking tool developers.

Here are a few examples (some very common, some more niche) of hacking tools used against retailers:

Email Brute Force Tools: These tools are often used beyond just retail fraud, but can be particularly useful for account takeovers, especially when retailers don’t have a login attempt limit in place.
Email-Brute-Force-ExampleExample of Email Brute Force Tool

Automated SMS Verification: Many companies implement two factor authentication to make it harder to hack accounts. However, SMS verification tools help hackers bypass this step.

SMS-Verification-ExampleExample of SMS Verification Tool

Bots for Automated Buying: This tactic is less frequent, but most damaging. Bots are a logical evolution of online fraud. Instead of trying out stolen credit or gift cards one by one on a site, hackers let the bot do the work for them, placing hundreds or thousands of orders in an hour. They don’t need a high approval rate to be successful—the volume takes care of that for them.

Retail-Buying-Bot-ExampleExample of Retail Buying Bot
Click Here for Enlarged Image

Gift Card & Discount Code Generators: Every gift card uses an ID number that ties back to an account in the retailer’s database. Gift card generators use a bot that generates ID numbers, checks their validity against public algorithms, and then finally checks to see if they have a balance remaining. This type of scheme can significantly eat into a company’s profits and also damage brand reputation. 

Conclusion

For retailers, fraud is a familiar foe—but the cyber risks are rather new. Cyber fraud is an ever-changing landscape that can be completely different from one month to the next. eCommerce is a critical part of retail strategy, but this presence also attracts adversaries. That’s why retailers and consumers need to understand where they are exposed and how attackers might target them.

If you’re a retailer, you need to have a process in place to identify and takedown these scams early. Monitoring Dark Web activity can provide you with advanced visibility into cyber scams so you can take appropriate mitigation steps. As we head into the holiday season, both retailers and consumers must stay vigilant and stay skeptical.

Have a happy (and safe) holiday season everyone!

Further Reading: Want to learn more about the threat landscape for retailers? Download our Retail Threat Landscape Report.

IntSights_Retail_eCommerce_Threat_Report-cover
Retail & eCommerce Threat Landscape Report (October 2018)
Download Now

0 Comments
previous post 5 Best Practices for Dark Web Threat Hunting
Next Post Financial Services Organizations Beware: Rising State-Sponsored APT Group Attacks
Ariel Ainhoren

Ariel Ainhoren

Ariel Ainhoren is a Security Researcher at IntSights, focused on discovering new cyber trends, threats, hacker strategies and vulnerabilities. He is a seasoned security professional with over 8 years of experience in the cyber industry, with expertise in computer forensics, malicious programs, vulnerability management and Microsoft Products. Ariel enjoys solving cyber puzzles, preferably byte by byte.