As cybercriminals grow more sophisticated and holiday shoppers continue to flock online, researchers warn internet-based retailers could face a 20 percent uptick in cyberattacks this holiday season compared to last year.
In the report titled “Holiday Season Cyber Heists”, released Thursday morning and shared with Threatpost, Carbon Black said that cybercrime activity tracked during 2019 is already setting the holiday shopping season for an upward trajectory in malware and ransomware attacks.
From constantly-evolving malware such as Kryptik to island-hopping attacks, retailers are finding themselves constantly at risk. And they’re paying the price: Up to 40 percent of surveyed retail organizations said they’ve already lost revenue as a result of a cyberattack in 2019.
In this podcast, Tom Kellermann, the head cybersecurity strategist with VMware Carbon Black, talks about the newest threats that retail organizations – and shoppers – are facing this holiday shopping season.
Below find a lightly-edited transcript of this podcast.
Lindsey O’Donnell Welch: Welcome back to the Threatpost podcast. You’ve got your host, Lindsey O’Donnell Welch here with Threatpost today and I’m joined by Tom Kellermann, the head cybersecurity strategist with VMware Carbon Black. Tom, thanks so much for coming on today.
Tom Kellermann: Thank you for having me.
LO: Great. Well, we’re in the midst of the holiday season and unfortunately for cyber criminals with the holiday season comes, as you call it, “holiday season cyber heist.” So VMware Carbon Black just released its annual research delving into retail industry cyber threats and how the industry is dealing with those threats. So, Tom, before getting into this report, can we just take a step back here and paint some context around the retail industry as it relates to the cyber security space? I mean, historically, what challenges has the retail space faced when it comes to security, whether its traditional vulnerabilities and issues that exist in their own systems or whether it’s external threats that they’ve faced; What have you seen there?
TK: Well, you know, as retailers have moved away from brick and mortar, and as they’ve fully embraced, you know, e-commerce, they are exposing themselves to a greater attack service. It’s no longer merely about the physical security of the store or the facility, or the physical security of the point of sale machines. They’re grappling with a reality that adversaries have increased in sophistication and they’ve found ways to bypass encryption and penetrate the sanctum of these retailers and precipitate cybercrime and fraud against not only the retailers, but their customers.
LO: Right. And with that context in mind, let’s fast forward to right now, Thursday, you just released this new research about retail and the holiday season cyber threats that retail companies are facing. Tell us about the background of this research itself. What were you specifically focusing on? And who did you talked to or survey in order to conduct some of this research?
TK: Yep, so first, we drew from our own data, vast amount of data that we’re pulling from the agents that have been employed to protect a myriad of retailers around the world, in the hundreds that is, and then we actually wanted to have qualitative analysis of the data by asking specific questions to 20 of the world’s most prominent CISOs in the retail space, and we wanted to get a better gauge from them as to their perception of the threat landscape and some of the proactive countermeasures and or initiatives that they have in dealing with this cybercrime wave.
LO: Right now, were you guys talking to CISOs more from brick and mortar retail stores or more online platforms? Or kind of a healthy mix of both?
TK: Mostly online platforms. That being said, you know, brick and mortar are, are moving primarily online with a delivery of services and offerings. And this is evidence by the applications, the mobile apps that we can all download now from our favorite brick and mortar. And that comes with its own danger. And I think this report highlights how cyber criminals have increased their level of sophistication, their level of organization around targeting these systems and how merely having data encrypted cannot save you from the modern thief.
LO:I think that’s a good point. And it’s demonstrated through one of the statistics that you threw out there in the research, which was that attempted cyber attacks against retail organizations may increase by 20 percent this holiday shopping season. So let’s take a step back and talk about that statistic and what it means for retail companies. What has that same number been in in previous years? Were these types of cyber attacks and targets also increasing in previous years? And is this a trend that’s going to be continuing or is this something that is out of the ordinary for year to year?
TK: No, this is the continuing upward trend. what’s notable here is that we currently we are already seeing this dramatic uptick of attacks. This is in large part due to the myriad of attack capabilities and crime kits that are widely available now for traditional criminals. You’re seeing this migration of traditional criminals online, and their utility of things like ransomware, like trojans and droppers, all of which they can purchase now from numerous forums online. So you see the migration of traditional crime online. In addition to that, you’re seeing a shift away from smash-and-grab burglary to more of a, I guess, a hostage situation within those retailers, and what I mean by that is, you can see that one third of the time in this study, they’re dealing with island hopping. No, this is not the island hopping that we refer to from yesteryear of, you know, the air conditioning maintenance person’s computer being compromised to target Target. But more importantly, this is the construct that the actual e-commerce site itself begins attacking its customers, whether the site has been turned into a watering hole, whether the mobile app has been turned into a watering hole, which is happening a lot nowadays, or they’re leveraging reverse business email compromise schemes where the email that you receive from the retailer, actually from the mail server of the retailer, has fireless malware embedded in it, so they can take over your bank accounts on your home PC.
LO: Yeah, that can be a lot more dangerous, because that means that the retailer is now becoming part of this attack. And we’re seeing that in other attacks to like supply chain attacks, things like that, that are exposing data. So I think that’s a really good point. And it also opens up these various cyber attacks to include the consumers as victims as well. I think that’s something to be looking out for, and when you’re talking too, about the different and new types of threats and malware that’s available to cyber criminals, which is kind of decreasing the entry barrier for some of these cyber criminals to launch these attacks. You guys had a section too in the research that included various takeaways from looking on the Dark Web and what you were able to find there. And you were able to discover various credit card skimming guides, counterfeit credit cards, financial-specific malware, access to specific bank accounts from stolen credentials. What were some of the top takeaways that you found looking at these underground forums when it comes to the retail industry and customers?
TK: Most horrifying was the presence of numerous financial specific malware payloads that could be employed by non sophisticants. These financial malware payloads. should be leveraged by non sophisticants against individuals beyond the compromise of the credit card information that will be leveraged in the transaction. And these were trojans and droppers that have the capacity to actually siphon money from your bank accounts themselves. And remember, when someone steals from you online, they don’t need to wire more than 50 cents on a regular pattern. It’s called salami slicing. I mean, the best way to take advantage of compromised personal devices is to conduct a salami slice for $2 and 30 cents every day across each device in perpetuity, because that’s roughly the price of a cup of coffee. And so we have to appreciate the nature in which they’re trying to embed themselves within these environments. It’s really transitioning with these types of widely available financial-specific payloads from a burglary to more of a home invasion. And the same thing is happening to the retailers who have been successfully targeted.
Now to your earlier point about, you know, this this type of commoditization of attack code, you know, ransomware is essentially the poor man’s cyber attack tool. Okay? And what we need to appreciate is the people who sell ransomware capabilities to traditional criminals do so for two reasons. One is to obviously make money. The second reason is wherever the ransomware has been deployed, they have remote access to wherever the ransomware agent has been employed. So essentially, they can teleport themselves into any infrastructure that’s been previously compromised by that ransomware, which is why when you pay ransom – where which you shouldn’t do – when you pay the ransom you have to assume that there’s still a backdoor somewhere in your infrastructure that is being misused and abused by another criminal.
LO: Right. It’s funny, I feel as though ransomware last year, a lot of people were saying that it was steadily declining, but I do think that the least amount of instances that have been disclosed seem to be this year popping up more frequently. And I’m curious if you’re seeing that as well in the retail space, and you guys kind of outlined that to in your report as it had to do with ransomware threats. So, you know, what are you seeing there in terms of the most prevalent ransomware or malware families that are targeting the retail sector?
TK: Yeah, I mean, Kryptik is probably the most pervasive, but beyond Kryptik, you need to appreciate that. What makes Kryptik unique is its capacity to to modify the registry and allow for other payloads or other trojans, and attack code to be deployed in conjunction with it. We’re seeing this resurgence of Zeus, which really highlights this trend that I spoke to where traditional criminals are getting in the game now. And then Emotet is constantly evolving its modular structure. All these payloads are primarily sold out of Eastern-European Russian speaking forums, and are widely misused by criminal crews, both traditional and cyber around the world. Some of the more unique payloads that are evolving from a financial crime perspective, are now beginning to come out of Brazil as well. And in general, I just would state that, whereas ransomware is truly an epidemic, a lot of times it provides a smokescreen for more elegance long-term cybercrime conspiracies that are conducted against these types of retailers. And we need to appreciate the fact that the implicit trust that you put into that, let’s say, luxury brand, will be misused by cyber criminals to attack you. And it’s not just a question of some drive-by download. It’s not just a question of them spoofing the email address of the retailer, they will actually commandeer the digital Transformation of that retailer and use it against their constituents.
LO: Right. And it’s and it’s certainly costing retail organizations. I mean, I think you guys had it was 40 percent of retail orgs said they lost revenue due to a cyber attack in 2019. I mean, that’s, that’s a pretty high number and those are big losses. Is that mostly due to costs of disaster recovery and mitigation or is it brand and PR issues that crop out of cyber attacks? What kind of goes into that?
TK: I think primarily, it’s the incident response, the notification labor costs due to a breach; but the great irony here is those are just stats specific to the triage it does not encompass the reputational damage or reputational risk that the retailer may have been impacted by, nor does it take into account cybercrime conspiracies that don’t actually target the point of sale systems or the the payment processing of the Retail themselves, but rather use the infrastructure of the retailer to leverage banking malware against people who visit their website, a mobile app, etc. And that is, I’d say encompassed fully in the warnings we’ve all received regarding Magecart and Magecart in and of itself, the fact that they’ve created essentially a platform for automating watering hole attacks. For the purposes of financial fraud, it’s something we should pay attention to.
LO: Right. I mean, we’ve seen Magecart attacks, just it’s almost, monthly at this time, and you know, not just going for some of the smaller firms but you know, the bigger ones like Ticketmaster, some of the other ones so that’s definitely a big red flag for retailers who are looking out for for the top threats to be aware of. Are you seeing this, these losses translate to more awareness – and not just awareness, I guess, but more action- against trying to better secure systems or reorganize to better face these threats within the retail industry?
TK: You know, not all not all retailers are equal, just like you would walk into a luxury brand store and you would immediately see the physical security personnel standing in a suit by the door. And you would immediately notice the surveillance cameras and the laser defined boundaries of the showcases. You don’t always see that everywhere. And what I mean by that is, I think there’s a movement afoot slowly to to increase internal visibility and to inhibit lateral movement and to mitigate island hopping and these types of threats. But the challenge is still that the PCI compliance standards and and other standards affiliated with these with these industries are very outward facing very focused on prevention versus depression. And as we can see due to the criminal kits and platforms that is widely available to anyone in this world, that their security standards and initiatives are not keeping pace with the level of Machiavellian criminality that we see.
LO: Right. Well, what what needs to be done? I mean, looking at these retail organizations, I know that in your research, you mentioned that more than half of retail orgs that you guys surveyed said they plan on increasing their cyber security staff in 2020, 40 percent said they plan to increase their security budget, but what specifically do they really need to target and what needs to be done to protect against these threats? Is there something at a more wide scale level that needs to be done?
TK: First and foremost, they really need to improve application security and embrace application control and iron boxing of applications so that behavioral anomalies are suppressed.
Secondarily, they have to proactively and regularly test their websites and their mobile apps – yes, their mobile apps too – for the OWASP top 20 and then force function remediation timetables as a priority through all of IT so that their mobile apps and websites don’t turn into watering holes.
In addition to that, they need to improve internal visibility by using either a next gen AV with EDR, or EDR technology from one of the numerous vendors out there that provide it, but most importantly, they need to assure themselves that they have visibility over time.
And that really means can they capture all the behavioral anomalies plus all the unfiltered data on that endpoint over a period of at least 30 days, because in today’s environment, realistically, you will notice that you’ve suffered a successful cyber attack for at least a handful of days after the event. And that’s if you are truly forward leaning. And so they need to accept that. And finally, I think the time has come for widespread embrace of just in time administration. Even system administrators don’t need administrator privileges all the time. Hackers are hunting for those administrative credentials. So they become super users and can misuse processes, policies and procedures and be perceived as insiders when in fact, they are digital insiders. All of these things necessitate immediate action. And, whereas I’m heartened that they’re going to increase hiring of cyber security professionals. shortage of cyber security professionals is very real. There’s tremendous competition for each person out there in this world that has been trained and is capable of holding down such a position and the burnout rates are incredibly high, as we’ve heard over the past couple years.
LO: We’ll see what happens in 2020. But you know, while you were conducting this research before we wrap it up here, was there anything that stood out to you either as the most surprising thing? Or was there something that you would say is the most important takeaway for security teams or for retail companies from this report?
TK: I think the most surprising thing – and granted this is happening a lot in the financial sector, And we did foreshadow this in our global incident response threat report – but that retailers are suffering from island hopping. And that that is increasing was surprising to me in so much that, not that they were being successfully hacked through their supply chain, but that they themselves, their brand was being misused to target their constituencies, and that mobile applications and their own infrastructure, were attempting to deposit long-term trojans for Financial Crimes inside their customer systems. So this would not have actually been reflected on their own books, the fraud or losses associated with cybercrime, but they themselves became part of the conspiracy, even though unwittingly.
LO: Something to be keeping an eye on for the year ahead for sure. So, once again, this is Lindsey O’Donnell with Threatpost here with Tom Kellermann with VMware Carbon Black. Tom, thanks so much for coming on to the Threatpost podcast to talk about the top holiday threats.
TK: Thank you. Happy Holidays.
LO: And catch us next week on the Threatpost podcast.