Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Attacking the Organism: Retail

My Apple News app recently served up some targeted marketing that really hit home. There before me was the opportunity to purchase a limited-edition 11 Herbs & Spices Firelog from KFC and Envirolog, sold through Walmart. 

My Apple News app recently served up some targeted marketing that really hit home. There before me was the opportunity to purchase a limited-edition 11 Herbs & Spices Firelog from KFC and Envirolog, sold through Walmart. 

Sometimes it’s just plain spooky how these internet algorithms understand us on a deeper level. How did they know I’d been thinking about the broader application organism as it pertains to companies in different industries such as retail, and how the CHEW framework of malicious motivations fits uniquely into each industry? 

After all, here was an online retail opportunity being presented to me through a news app on a mobile phone over a wireless network. With just a few clicks I could have gone to an e-commerce site and entered my personal financial information. In doing so I would have certainly been tracked and counted, with personal data being presumably sent to two major retail corporations, a manufacturer, and their multiple respective marketing agencies. 

In addition to the advertising and sales mechanisms that brought me to this point, there are also all of the other logistics, shipping, warehouse, and inventory systems that are involved in any sale. All of this coming together just in time for the holidays to bring me a fried chicken-scented yule log. 

Today all these processes are expressed as apps. As industries continue to build out new digital experiences, they are moving very quickly, creating ever-expanding organisms consisting of dozens, hundreds and even thousands of applications spanning this entire landscape of functions. 

In retail especially, companies iterate rapidly, pushing out new features and functionality, building targeted offerings and promotions, and in the case of longtime brick-and-mortar shops, transforming to offer more digital services. Those services today are being consumed at a higher volume than ever, with shipping boxes sitting on porches from coast to coast.  

From new in-store experiences, to rich e-tailing, to hybrid services like ordering coffee on the way to the Starbucks on the corner, to managing all the information and inventory on the back end, the entire retail industry today is built on crisscrossing flows of information. 

This means there is risk of malicious actors targeting any given insertion point connecting any app or piece of infrastructure, anywhere. With so much personal information—including high-value targets like financial data and account information—flowing through such dispersed channels, the prime CHEW motivation for attacking the retail organism is of course criminal intent. 

Case in point: The popular server-side language PHP runs on as much as 80 percent of the web, and accordingly, we’ve seen a continual rise in malicious traffic focused on PHP over the past few years. Magento has long been one of the world’s most popular credit processing platforms—so much so that a prolific hacking organization, Magecart, has grown its business on targeting it. 

There are also good old-fashioned confidence scams focusing on consumers. People spend $127 billion each year on gift cards alone, so it’s no wonder that gift card fraud has become a massive threat. The Federal Trade Commission disclosed in November that $74 million in gift card scam losses were reported in the first three quarters of 2019, compared to $78 million in all of 2018—which was up from $40 million in 2017.   

Another big risk for retail organizations is the seasonality of the industry. In 2019, U.S. retailers reported $9.4 billion in online sales during this year’s “Cyber Monday.” 

The importance to retailers of single-day sales moments like Cyber Monday or Black Friday leads to risks that extend far beyond simple theft or fraud. Going back to the CHEW motivations, if an idealistic hacker organization or a hostile foreign power wanted to target major online retailers for a DDoS attack to impact availability, these major shopping events around the holidays would represent a prime opportunity to maximize the damage. 

Targeting those dates for criminal attacks also makes sense, with a large spike in traffic providing air cover for malicious code. This proverbial needle-in-a-haystack situation means that security orgs must be thinking more about how they automate their monitoring solutions and augment those with machine learning and artificial intelligence.   

All these factors are part of the risk portfolio for any retail organization, representing avenues of attack that security pros must look to cut off. Retailers have always been a juicy target for criminal activity, and with the explosion of applications being used for both online and in-store purchases and experiences, the stakes are only growing. 

When it comes to cross-site scripting, formjacking, and Magecart-style attacks, standard protections like a web application firewall are critical. Retailers should also ensure that they are proactively scanning for vulnerabilities in the website, as well as deploying a solution to monitor traffic. 

And when it comes to fighting credit card and gift card fraud, mitigating against bots and automated attacks is just as important as preventing manual attacks and is becoming more so all the time. Organizations need the capability to immediately identify and prevent account takeovers, and also to identify fraudulent accounts after they’ve been created, to mitigate the damage. 

As the application organism for retail continues to expand, understanding the unique risk factors for this industry—and your own unique blend of herbs and spices in terms of app security insertion points—is the key to protecting your customers, as well as your brand.


Related: F5 to Acquire Shape Security for $1 Billion in Cash

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...