An almost tripling of the number of false retailer websites intended to phish for customer credentials and black-market listed stolen goods for resale are some findings in a new report.
Riskified and IntSights Cyber Intelligence released “The Retail and eCommerce Threat Landscape Report,” which studied how the growth in online shopping, combined with the explosion of compromised financial and card data available, make the retail and e-commerce industries among the most targeted sectors in the darknet.
The joint report, which analyzed data from third quarter 2017 to third quarter 2018, addressed the scope and severity of the current threat and fraud landscape for retailers from selling credit card data and personal information from data breaches to sharing commonly used tools and schemes.
“The ease with which you can commit fraud these days and get goods delivered to your doorstep with little to no risk, is just too appealing to overlook,” the report suggested. Most online retail fraud follows a simple two-step process: Get a stolen credit card, order goods from a retailer. Plus, inefficient fraud prevention costs merchants billions in chargebacks, overhead and missed sales.
The report discovered some significant trends such as a 297% rise in the number of false retailer websites designed to phish for customer credentials. In the third quarter alone, there was an average of 23 phishing sites per company, a significant increase from 2017. They also found a 278% rise in stolen goods listed on black markets for resale; an average of 22.1 internal login pages or development servers exposed per retail company in 2018; and fake apps and social media profiles on the rise with a 469% spike in suspicious applications and a 345% increase in fake social media profiles (respectively) in the fourth quarter of 2017.
The report noted retailers are increasingly focused on driving sales through a variety of online channels – including Facebook, SMS messaging, Instagram, Twitter and more — all of which provide a perfect opening for fraudsters to lure in new victims.
The report noted, “Although credit card information is not issued by retailers, they often store this information, and tend to have weaker security systems in place than financial companies.” This makes retailers one of the most targeted groups for obtaining credit card data. Once stolen, credit card data can provide fuel in the trade of stolen card information on the dark web, and to defraud the same organizations from where they originated.
Among the methods used to obtain credit cards:
- Phishing websites: A most common way to get credit card data.
- Point of sale malware: Infecting POS machines can generate hundreds to thousands of credit card numbers per day.
- ATM skimmers: can copy the data of every card entered and send it to a hacker’s server.
- Malicious apps: by either mimicking a bank app or keylogging within a legitimate app, malicious apps can acquire card and bank data.
- Trojan malware: This involves infecting a computer with keylogging and/or screenshot-taking programs that monitor activity on financial institution or credit company websites.
- Social engineering: This can be a fake bank support call, a SMS message leading to a phishing site, a tax-return request, or a fake job proposal. Social engineering is hard to anticipate and defend against because it relies on a person’s voluntary action.
- Black markets: For some, it’s as easy as going to black markets and buying a bunch of stolen credit cards that cost anywhere from $1 to $20 each, depending on the quality and freshness of the card.
