Security Experts:

Connect with us

Hi, what are you looking for?


Fraud & Identity Theft

Combating the Surge in Retail Theft and E-Commerce Fraud With Open Source Intelligence

Retailers have recently experienced a significant increase in the theft of goods from their physical locations.

Retailers have recently experienced a significant increase in the theft of goods from their physical locations. The leaders of these organizations believe the thefts have been fueled by online marketplaces that allow criminals to create and maintain seller accounts under fake identities and under a veil of anonymity.They believe these accounts provide an easy channel to resell stolen goods without oversight or legal accountability

At the end of last year, 20 retail leaders, including the CEOs of Best Buy, CVS, Home Depot, Nordstrom, and Target, sent a letter to Congress. These leaders are calling on legislators to enact laws that address this growing fraud by requiring the identification of sellers, making it more difficult for criminals to transact and maintain their anonymity as they sell stolen goods.  

While Congress attempts to craft legislation to protect merchants from in-store theft – and consumers from online fraud, the retailers themselves also need to take action. They need to use their intelligence teams to engage in investigations to make these crimes more expensive and less attractive for the criminals. 

The Role of “Boosters”

According to the FBI, the retail industry has lost billions of dollars from the sale of goods obtained through theft and robbery in the past year. The ‘shadow’ e-commerce retail marketplace that resells these goods relies on an ecosystem built off of boosters. ‘Boosters’ refer to the first link in the chain, an orchestrated group of thieves hired by organized crime rings to steal from brick-and-mortar retailers and then provide the stolen property to street-level “fences” for 5-10% of retail prices. Those fences then sell the goods to distributors and ultimately, those goods are offered for sale in online stores and marketplaces. The retailer’s desire is for Congress to bring more accountability to these third-party online marketplace

Beyond Transparency. Into Accountability

While retailers wait for Congress to enact laws that bring accountability, verification, and diligence to third-party online marketplaces, companies need to do their part by making the transaction of stolen goods more costly for fraudsters. Similar to investigations that disrupt cyberattacks on retailers, the same tactics, techniques, and procedures (TTPs) can be leveraged against those that sell counterfeit or stolen goods. Retailers typically have systems in place that provide the provenance of consumer goods.  

With these systems in place, a security team should be able to investigate widespread theft, track stolen property to online marketplaces, build proper controls to legally remove them, and coordinate with law enforcement to implement processes that disrupt organized criminal elements before they profit.

Tracking the Record of Ownership: Retail Data Provenance 

A key component of online crime investigation is techniques to identify stylometric attributes of the criminal infrastructure.  These attributes can reveal the provenance of retail data stolen by the malicious actor and enable victims and authorities to take action.

Security practitioners often look for lapses in operational security by the threat actors. These operational mistakes combined with retailer systems for tracking merchandise can provide the point of origin of stolen goods. Examples of operational mistakes include, but are not limited to the following:

● An actor forgot to use their VPN or proxy to connect to their fraudulent online infrastructure and revealed their source IP range.

● An actor reused certificates on different infrastructure or failed to properly encrypt their fraudulent marketplace traffic.

● An actor used mailing/email addresses and phone numbers to register their marketplace or hosting service that can be unmasked.

By combining technical analysis with open-source intelligence (OSINT), analysts can add valuable context to the crime. The additional technology-enabled OSINT findings can help determine the motivation and sophistication of the threat.   

WIth this  analysis, a retailer may be able to interact with the threat actors in a “controlled buy” operation that verifies the stolen goods and documents the payment chain (if applicable). Conducting the aforementioned operations at scale and in a timely manner is achievable with proper focus and resources.

As a result, companies have several options:

● Working with the cryptocurrency or hosting providers to remove marketplace infrastructure.

● Collaborating with law enforcement to determine the amount of loss, resulting in prosecution.

● Publicly exposing criminals to deter future crime.

● Engaging the perpetrator and the perpetrator’s associates to facilitate cooperation without legal recourse. 

● Removing the anonymity of the fraud actors and criminal conspirators.

The actions and outcomes described in this article are both necessary and complementary to any legislative action that may be undertaken by Congress. These actions by retailers themselves will help protect their businesses and inventory and ensure a fair marketplace for themselves and their customers. 

Written By

Landon Winkelvoss is Co-founder and VP of Security Strategy at Nisos.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...