The holiday season – which now seems to stretch from Halloween until New Year – is a busy time for everyone. With more and more retail sales taking place online, e-commerce sites are prime targets for hackers. Phishing, gift card fraud and the use of “sniffers” are all ways in which hackers gain access to customer payment information and more. A recent article in Total Retail looks at these techniques.
Phishing and gift card fraud
As the article explains: “phishing takes many forms, but it remains the top concern on the minds of the retail chief information security officers (CISOs).”
According to the British Retail Consortium (BRC), phishing is seen as the most high risk form of cyber crime, followed by data theft. Denial of service is third. Spoofing, doxing (publishing private information about individuals on the internet – without their permission) and social engineering are seen as the three lowest risk forms of cyber crime.
As Total Retail explains: “spoofed email addresses can be used to gain access to supplier or customer login and bogus websites can be made to look exactly like those of major retailers. These can be used to capture and record credit card information. This data is being sold on dark web forums, along with email phishing kits that feature spamming services and automated controls that allow criminals to target companies.
“Hackers also use stolen credit card information to buy gift cards, which are then sold on the dark web and converted to cash. This throws up two problems for retailers: the stolen credit card data used to purchase gift cards leads to chargebacks, while the customer service imperative of the retail industry makes it hard for brands to deny transactions based on gift card fraud.
“In turn, these two forms of fraud can damage brands because of customer backlash.”
Credit card “sniffers”
Credit card “sniffers” are malicious scripts that are injected onto payment pages of e-commerce sites. They “scrape” customer payment information, including credit card data.
According to Total Retail, “(for) some researchers, sniffers represent the single greatest threat to the retail sector. In 2018 they accounted for 88 significant breaches, including the British Airways breach. In that case the Magecart hacker group injected a sniffer onto the BA’s payment site. They claimed 500,000 victims and eventually the airline was fined £183 million under the terms of the General Data Protection Regulation (GDPR). At the time this was the largest fine levied under GDPR.”
One of the emerging strategies to fight these threats involves monitoring unsavoury corners of the internet where fraudsters gather to share notes and sell their wares.
As Total Retail points out, “the dark web is a robust network and within it, cyber criminals buy and sell stolen card data, advertise counterfeit phishing sites and teach each other how to deploy hacking tools.
“These marketplaces are public, however and when analysts monitor them, they can find out when someone is selling stolen card data from a particular retailer or determine when customers of a brand are getting hit with phishing campaigns. Using this information, they can make proactive steps, such as resetting customer passwords, educating consumers about phishing campaigns, and getting fraudulent URLs taken down through their ISPs. Intelligence allows retailers to be proactive.”
The original article is available via the link.