Macy’s, Adidas, Panera Bread and Chili’s. These are just a few of the retailers and merchants who made headline news in the last few months when they became victims of cyberattacks that put payment card data and other personally identifiable information (PII) at risk for thousands of customers. While it’s safe to say that no organization is immune to cyberattacks, I was curious to learn more about the top trends and threats the retail industry faces and how retailers and merchants can strengthen their defenses – particularly as we gear up for the Retail Cyber Intelligence Summit 2018 next month.
To explore the subject further, I connected with Glen Jones, senior director of Identity and Risk Products at Visa – the world’s leader in digital payments. Glen manages the Visa Threat Intelligence solution and frequently advises financial institutions and merchants on cyber threat and payment card data protection.
On an ongoing basis, Visa tracks global breach trends affecting retailers and other merchants. What are some of the top trends you and your team are seeing?
Our most recent research finds that the U.S. and Europe are the top two regions for payment data breaches. Based on Visa’s tracking, the majority of breach victims are e-commerce merchants as opposed to brick and mortar entities. The majority of stolen payment data, however, comes from high volume brick and mortar entities.
What this tells us in terms of attack trends is that the criminals are finding it more difficult to obtain valuable payment data from brick and mortar merchants and are now targeting e-commerce merchants in greater numbers. This also points to the fact that despite stronger defenses among brick and mortar merchants, for instance using EMV chip-enabled point-of-sale devices and other secure payment technologies and techniques, there is still risk to these merchants. Multiple layers of security are required to ensure networks and systems are well defended to protect payment data and improve fraud prevention. And when attacks do happen they can result in higher-impact breaches.
Are there any trends you’re noticing among cybercriminals that target this sector?
One of the most important trends is that cybercriminals are reusing tactics – specific malware, targeted vulnerabilities and preferred infrastructure – to execute attacks across a wide range of merchants. This has significant implications for how we must deal with cyberattacks.
Traditionally, the retail industry has been more reactive; an unauthorized charge to a payment card would trigger an investigation of fraudulent activity resulting in the discovery of a payment data breach from a merchant’s payment network. The trouble with this approach is obvious; time to detection can take months because criminals often delay selling or using stolen payment card data and don’t always set off that trigger by selling data on cybercrime markets. In other words, retailers may be unaware that their payment networks are compromised until fraud reports begin to surface. Criminals can remain below the radar and continue to steal data until an external party notifies the victim they’ve been breached.
What we’re now seeing is a shift in security approach among leaders in the retail industry. Because we know threat actors are reusing tools and tactics, essentially leaving a trail of breadcrumbs, retailers can use this to their advantage and be more proactive when it comes to security. They are learning from past attacks and the experience of others, since threat intelligence is shared across the industry, to preemptively strengthen their defenses and detect attacks faster.
What are some of the most common cyber threats that attackers are reusing, and that retailers should know about?
There are several we uncovered in our research, but I’ll focus on one that is contributing to the rise in e-commerce breaches and another that focuses on more traditional Point-of-Sale (POS) systems at smaller brick and mortar retailers, restaurants and other merchants.
In the case of card-not-present attacks, vulnerable e-commerce payment applications are a primary method threat actors use to steal data. The attackers take advantage of vulnerabilities in payment applications like Magento and the cross-site request forgery (CSRF) vulnerability to compromise the payment application or the underlying web server. They then modify the checkout code and, after successfully installing a malicious hidden web shell, they deploy malware to automatically capture and write payment card data to files that are later retrieved from the web server by the attacker.
One of the other active POS threats we continue to see is known as BackOff/POSeidon. The group has been observed actively targeting merchants who use web-based remote access services to connect to their POS vendor or integrator partners who need legitimate access to conduct system maintenance and other tasks on behalf of the merchant. Through spear-phishing and brute force attacks, the group steals remote access login credentials of the trusted vendor or integrator partner. At that point, they have unrestricted access to the merchant’s POS infrastructure and can wreak havoc – installing malicious bots, establishing C2 communication, recording keystrokes and encrypting and exfiltrating payment card and other sensitive data.
In both examples, attackers leave behind a trail of breadcrumbs, or indicators – specific domains, IP addresses, registry settings, files, code and other artifacts – that retailers can look for to determine if an attack is underway in their environment.
What advice do you have for retailers and merchants?
There’s a lot that retailers and merchants can do to mitigate risk, but they first need to objectively assess whether or not they have the in-house expertise to move forward. Overestimating their in-house capabilities and underestimating the task can put an organization at risk.
After assessing their in-house expertise, they should focus on process and technology. In addition to complying with Payment Card Industry Data Security Standard (PCI DSS) requirements, they should consider deploying application whitelisting and network egress monitoring in their POS environments, as well as secure payment technology like EMV, tokenization and end-to-end encryption. They should also begin the shift to a more proactive approach to security. Many organizations subscribe to threat data feeds and participate in industry sharing groups that provide information about the indicators attackers are using. That’s a great step in the right direction. But the volume and velocity of data can be overwhelming, and it can be difficult to know what is relevant to your specific environment. Retailers that have a platform to make sense of all that data quickly, prioritize it and have processes in place to act on that intelligence are the ones that we see having more success mitigating risk to payment card data.