Threat actors are known to ramp up activity in the lead-up to heavy online shopping periods – such as Black Friday, Cyber Monday and Christmas – as they know people will be more susceptible to offers received via e-mail or social media and have more incentive to buy quickly. As the holiday season approaches, this blog explains some of the main ways in which e-commerce businesses can be targeted, the threat actors behind this targeting, and actions both customers and businesses can take to help mitigate against this threat.
E-commerce is Growing at a Tremendous Rate:
With technology advances making it ever-easier to buy and receive products – such as omni-channel shopping, increased use of social media platforms and easier cross-border shopping – consumers will continue to move toward buying online instead of in store, as shown by the following figures:
- E-Commerce in North America grew by 16% in 2018 to over US $500 billion1
- E-Commerce accounts for 23% of all retail in China, and 15% in the US2
- Holiday sales represent 20%-30% of annual sales in the retail industry.3
Threat Actors are Taking Notice:
Retailers are expected to lose US $130 billion in card-not-present (CNP) fraud between 2018 and 2023, due to the use of increasingly innovative and complex fraud methods, and the huge volume of compromised data available.4 This estimate does not include potential losses incurred from threat actors attempting to compromise e-commerce sites themselves and stealing the card data in the first place.
Underground markets trading in this compromised data are thriving. Stolen credit cards are generally sold on dark web forums for between US $5 and $110 depending on the amount of additional information included.5 According to Experian, a total of 14.2 million credit cards were compromised in 2017.6
How is E-commerce Being Targeted?
In order for threat actors to purchase and use compromised card data to defraud e-commerce sites, card data must be stolen in the first place. E-commerce itself is a huge target for this data for obvious reasons: the volume of card data and other personal information being entered into, or stored by, these sites. Over the past few years, several different attack vectors have been used to target e-commerce in order to steal personal information:
- Compromise-as-a-Service (CaaS):
CaaS refers to the sale of access to a breached enterprise, where exploitation of the access is handled by the buyer. Threat actors may opt to purchase access to a target enterprise rather than breach the network/infrastructure themselves. If the compromised enterprise is in the e-commerce industry, another threat actor with the appropriate knowledge can exploit it to skim payment card data and sell it on the dark web.
CaaS requires time, finances, and technical knowledge to carry out the necessary attacks; therefore, these adversaries tend to be more sophisticated. The Accenture iDefense Cyber Threat Intelligence team tracks various threat actors who sell such compromised access. This access can be achieved in numerous ways, most commonly by exploiting systems with vulnerable Remote Desktop Protocol (RDP) exposed to the internet. RDP is legitimately used to allow people to control Windows machines over the internet but is often abused by criminals.
- Virtual Skimming:
- Organized E-crime Threat Groups
One of the most notable organized e-crime threat targeting e-commerce is the threat group FIN6. They target Point-of-Sale (POS) systems within the retail and hospitality industries, mainly in Europe and the United States. Once they have access, they extract card data, and sell it on underground marketplaces.
Threat actors and threat groups targeting card data are becoming more specialized, and collaboration between threat actors facilitates more sophisticated attacks and likely also makes it more difficult to identify a single adversary. With the continued proliferation of Magecart and like attacks and the price at which threat actors continue to sell access to compromised e-commerce networks, Accenture iDefense assesses with high confidence that e-commerce network infrastructure will continue to be a prime target for some of the most advanced threat actor groups.
How is Stolen Data Being Used?
There are numerous ways in which card data can be stolen, some of which are described above. Further examples include phishing, ATM skimming and using malicious insiders. Once card data has been stolen, it is most likely to be sold on a dark web marketplace. Those purchasing this data will often attempt to use it on e-commerce sites themselves in order to fraudulently purchase goods or services (CNP fraud).
- Payment Fraud:
Customers of these marketplaces, however, cannot simply purchase a stolen card and then use it to shop; both issuing banks and e-commerce stores themselves have varying fraud detection capabilities and are therefore constantly on the lookout for bespoke methods that will bypass these checks. These methods are often shared on Dark Web forums and usually involve similar operational security (OPSEC) advice, with tweaks depending on the card being used or the site being targeted. Accenture iDefense analysis suggests these methods will generally follow some or all of these steps:
- Choose a certain type of payment card (identified by the BIN number) known to work on the target site.
- Use RDP or VPN in order to select an IP address matching the victim's location.
- Have a drop (delivery) address closely matching that of the victim.
- Create an e-mail address or e-commerce account using the victim's personally identifiable information (PII).
- Spend time browsing the internet, thereby mimicking a real shopper's actions – fraud detection systems can detect suspicious-looking browser ‘fingerprints’.
- Account Takeover (ATO):
ATO occurs when a criminal gains access to a registered customer’s e-commerce account. Once a threat actor has access to an account, their goal is to make fraudulent purchases using either stored payment data, or payment data stolen from elsewhere. Some cybercriminal actors specialize in bulk collection and resale of stolen credentials, which enhances and enables this type of attack. These actors utilize tools to attempt “credential stuffing” attacks against hundreds or thousands of accounts at a time using existing credential pairs they have identified online. Some of these tools are built and sold to target specific sites.
One of many sites dedicated to the sale of compromised credentials is Slilpp. On this site, threat actors advertise the sale of compromised PII and credentials, many of which belong to e-commerce sites. Accenture iDefense research found there to be over 280,000 accounts for sale dating back to January 2018 for one leading US retailer. This is one of many on this site, and there are several other sites like Slilpp that sell similar amounts of data.
In the wake of a multitude of large data breaches over the past few years, there has been a significant rise in ATO attacks, particularly affecting e-commerce. Accenture iDefense assesses with high confidence that threat actors will continue to be successful in breaching networks and exfiltrating data, adding to the already huge amount of compromised PII already available on the Dark Web. Furthermore, ATO attacks are often easier to carry out compared to other cyberattacks. For these reasons Accenture iDefense assesses with high confidence that this type of attack will continue to grow as a threat to e-commerce in the near future.
- Refund Fraud:
Refund fraud abuses returns policies to gain money or merchandise. Accenture iDefense research found that threat actors have a large appetite for using refund fraud targeting e-commerce sites, so much so that it is now being provided “as-a-service.” One dark web site offering this service describes how the process works.
The initial steps consist of a customer ordering goods using their own details. Once the customer receives the item, they notify the refund service, and the site handles the rest. The customer is charged a fee, found to be generally within 12 and 30 percent of the refund with a minimum charge of US $34. Accenture iDefense believes the refund fraud site utilizes a combination of the customer’s login information, order number, and the customer’s e-mail address to facilitate refunds.
As fraud detection systems become ever more sophisticated, criminals continue to fall back on social engineering as a way of exploiting the human factor. Accenture iDefense research suggests that this type of fraud requires knowledge of how each site handles its refunds, which has led to the emergence of refund services specializing in this field, thus removing this barrier to entry. Accenture iDefense assesses from the hugely positive reviews (found on dark web forums) that criminals are more than willing to pay a fee for someone else to carry out the fraud, and, therefore, more of these services will appear in the future.
What Can Be Done?
The ease at which personal information can be compromised means there will always be a thriving underground economy in the buying and selling of compromised card data; the issue for threat actors is how to successfully monetize that data once they have purchased it. Accenture iDefense constantly observes threat actors discussing and sharing knowledge of methods to defraud e-commerce sites using stolen card data and assess with high confidence that they will continue to do so, corroborating the predicted increase in CNP fraud loss between now and 2023.
Therefore, with holiday season fast approaching, Accenture iDefense issues the following recommended guidelines for both e-commerce customers and businesses to help mitigate against this threat:
- Protect all devices against data-stealing malware and be vigilant with regard to phishing sites/phishing e-mails.
- Use and regularly update anti-virus software.
- Keep operating systems, software, and browsers up to date.
- Do not engage with suspicious URLs or e-mails.
- Protect online accounts through strong passwords and use of multi-factor authentication (MFA). The recommended basic strong password has a minimum of 8 characters and includes a mix of numbers, special characters, upper-case and lower-case characters.
- Use credit cards or payment apps where possible. Credit cards offer greater consumer protections should fraud occur. Payment apps like Apple Pay, Samsung Pay, Google Pay, PayPal, and Venmo add an extra layer of security by masking the card number, expiration date, and CVV code.
- Employ a holistic, layered approach to network security. In particular, we recommend to secure Point-of-Sale (POS) systems to protect card data, and limit RDP use help prevent network compromise.
- Carry out thorough security assessments into third-party apps and infrastructure to help mitigate against supply chain attacks.
- Implement a fraud detection system to identify suspicious activity. On top of monitoring transactions, consider shifting focus to identity, session, and behavioral monitoring to assess risk before a transaction.
- Establish a baseline of known ATO activity to determine common pathways for account compromise. Detection or prevention tactics can then be implemented, such as enforcing multi-factor authentication.
- Create a stringent returns policy. Ensure staff are trained appropriately, beware of omni-channel returns (buy online and return in-store), and return funds to the same payment method originally used.
1 10 commerce trends for 2019
2 10 commerce trends for 2019
3 Winter holidays FAQs
4 Retailers to lose $130bn globally in card-not-present fraud over the next 5 years
5 Here’s how much your personal information is selling for on the dark web
6 Identity theft statistics
7 What is magecart? Credit card-stealing malware proves hard to stop