Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Hackers Gear Up for the Holidays Too

November marks the beginning of the holiday shopping season. Consumers are making their shopping lists. Retailers are gearing up for the rush of shoppers. And hackers are honing their skills and using new tools to take advantage of the spike in online transactions.

November marks the beginning of the holiday shopping season. Consumers are making their shopping lists. Retailers are gearing up for the rush of shoppers. And hackers are honing their skills and using new tools to take advantage of the spike in online transactions. A 2018 survey (PDF) by RetailMeNot shows that consumers are expected to spend an average of $803 holiday shopping during Black Friday weekend, up from an average of $743 last year, with Black Friday and Cyber Monday projected to be the top two desktop and mobile shopping days of the year. While 67 percent of shoppers will go to department stores, 60 percent plan to shop with online-only retailers.

As consumers spend more money online, the opportunities for fraud increase and so does the level of sophistication threat actors employ to conduct card fraud. Many tactics are aimed at Card Not Present (CNP) fraud, when the card is used online and over the phone and the Europay, Mastercard and Visa (EMV) chip technology has no mitigating effects. 

One of the latest examples is Magecart, a toolkit of malicious software that was recently used to infect the websites of some clients of Shopper Approved, a customer review plug-in that hundreds of e-commerce sites use to collect reviews and help increase sales. When the plug-in was installed on payment pages of websites, Magecart could embed malware into the plug-in and capture shoppers’ payment card data. Fortunately, the incident was discovered before the holiday shopping season was in full swing, mitigating the potential for widespread payment card skimming. However, that the malware is being used by various groups reinforces the fact that cybercriminals don’t operate in a vacuum. 

As I’ve written about before, a rich ecosystem exists that provides supporting infrastructure, malware and money services. Professional online tutorials that include webinars, instructors and reading materials are also available to give actors who are less sophisticated everything they need to profit from credit card fraud. These types of courses were traditionally advertised across a wide range of marketplaces and forums. However, with the takedowns of AlphaBay and Hansa marketplaces in 2017, cybercriminals are incorporating other platforms to publicize their services as they gear up for the holidays.

Our Russian-language specialists have unearthed sellers of courses now hosting free lecture videos on Telegram and then using these to further promote their cybercrime services. For example, holding a botnet-related lecture and then advertising their new “University of Cybersecurity and Anonymity” program complete with a dedicated website that looks extremely professional and on par with many legitimate online education sites. They also offer a minute-long video advertisement which has been played over 5,000 times on mainstream video sharing platforms. The course costs about $1,100, payable in Bitcoin and offers much more than basic carding (payment card fraud) techniques, including lectures and workshops on currency laundering, cash withdrawal schemes, social engineering, botnet creation and use of exploits.  

At the lower end of the scale, self-paced and generic tutorials are available for as little as $1. There is also a bartering system whereby actors offer free carding tutorials in exchange for positive reviews on various platforms. Students can expect to be upsold more advanced tutorials and carding services.

This trend is worrying as more amateur actors have access to the training they need to embark on a cybercriminal career. The steady drumbeat of Magecart, intensified by the fact that groups are escalating their use of the malware and becoming more adept, adds to the growing security concerns among businesses that conduct commerce online. However, with this information there are many steps that payment card companies, merchants and consumers can take to better protect themselves. Here are just a few tips.

Monitor: Payment card companies should monitor for permutations of their domain name which could indicate criminals seeking to harvest information from customers. They should also monitor carding sites for Bank Identification Numbers (BINs) and Issuer Identification Numbers (IINs) that are offered for sale. Merchants should monitor for mentions of their company name on “cardable” sites which indicate their sites have been identified to have lax security controls and thus easier targets. Google Alerts and open source web crawlers like Scrapy can help. 

Advertisement. Scroll to continue reading.

Strengthen security: Merchants should consider using 3D Secure as an additional layer of security which has proven to be a real obstacle for criminals and is deployed by Visa and Mastercard. They should also remove third-party code from payment pages whenever possible to avoid incidents such as Shoppers Advantage.

Be smart: Knowledge of the trends and techniques being advertised in carding courses gives payment card companies and merchants valuable insights into methods being used and how to increase the friction at every stage of the cybercriminal process. Consumers can also be savvier – transacting with known retailers and, if shopping somewhere new, ensuring the merchant uses 3D Secure. And as always, be wary of offers that seem to go to be true as they probably are.

As we continue to gear up for an increase in shopping this holiday season, remember that attackers continue to innovate and update their training and skills regularly. Fortunately, monitoring for malicious activity, staying apprised of the latest security measures and being aware of hackers’ latest tactics, techniques and procedures (TTPs), can help all parties mitigate digital risk associated with CNP transactions. 

Written By

Alastair Paterson is the CEO and co-founder of Harmonic Security, enabling companies to adopt Generative AI without risk to their sensitive data. Prior to this he co-founded and was CEO of the cyber security company Digital Shadows from its inception in 2011 until its acquisition by ReliaQuest/KKR for $160m in July 2022. Alastair led the company to become an international, industry-recognised leader in threat intelligence and digital risk protection.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.