Professional Documents
Culture Documents
Introduction
Over the past few years, online shopping has grown significantly, making it extremely easy to
order anything you like, whenever you like, to wherever you like. Technology has made it more
convenient for us to purchase goods, and threat actors are no exception. This growth in online
shopping, combined with the explosion of compromised financial data available, is why the
retail and eCommerce industries are some of the most targeted sectors in the Dark Web. The
ease with which you can commit fraud these days and get goods delivered to your doorstep
with little to no risk, is just too appealing to overlook.
If you’re an eCommerce merchant, you already know that fraud is a fact of life. eCommerce
fraud nets its perpetrators tens of billions of dollars each year, and there’s no sign of it slowing
down. For retailers, fraud falls somewhere between “inconvenience” and “crippling.” No matter
the magnitude of fraud you face, failing to prepare adequately can leave merchants with huge
financial losses. But it’s not just the direct fraud costs that hurt merchants. Contrary to popular
belief, more money is lost managing fraudulent purchases than is actually lost to chargebacks.
Fraud puts a lot of strain on customer support teams, hinders the ability to scale or expand
internationally and leads to unhappy customers (aka brand reputation damage). These costs
can be far more damaging, so organizations need to make sure they’re managing the fraud
process efficiently, while working to identify fraud attempts early.
From there, it’s only a question of abilities and scale. Retail fraudsters range from your
average neighborhood whiz kid who uses a stolen credit card to order the new Call of Duty,
to organized crime groups that buy digital goods as a money laundering tactic. Retailers of
all sizes are getting hit. From your local pizza shop to huge retail conglomerates, fraud affects
every company that sells products, services, or goods online. It’s important that organizations
understand the latest fraud and cyber scam tactics so they can identify fraud early and respond
appropriately.
In this research report, IntSights and Riskified will show the scope and severity of the current
threat and fraud landscape for retailers. We will share key research findings and common
examples of retail fraud and show how fraudsters commonly target retailers using their digital
assets and the dark web. Additionally, we will explore the latest threats to the retail sector, such
as tools, techniques and real-life examples, and we will close with our predictions for 2019.
Methodology
This research looks at retail fraud from two sides of the problem, trends in stolen financial data, and trends in fraud
methods and frequency. Both IntSights and Riskified have large pools of threat data and research, which we have
combined to provide a wide view into the threat landscape of the retail and eCommerce sectors.
IntSights analyzed threat data from over 20 retail customers of various sizes from Q3 2017 to Q3 2018
Riskified used its data gathered from millions of transactions to help understand the global scale of fraud. IntSights and
Riskified combined their data to identify key trends in fraud and cybersecurity threats facing the retail and eCommerce
industry, and to highlight which threats and vectors pose the largest risk.
1600
1400
1485
1200
1000
800
1082
600
400
448
200 286
0
Q4 2017 Q1 2018 Q2 2018 Q3 2018
As credit card fraud becomes harder for small time fraudsters, more-sophisticated fraudsters use bots to automatically
order large quantities of online goods from retailers and then sell it in dark web markets at a fraction of the original price.
This trend is expected to keep rising, as it is hard to prevent and poses little to no risk for the hacker, who only needs a
fraction of their transactions to succeed in order to net a big profit.
484
400 473
300
340
200
100 119
0
Q4 2017 Q1 2018 Q2 2018 Q3 2018
9000
8000
7000 7550
6000
5000 5839
4000
3000 1695
2994 2938
2000
1000 1027 1599
823
0
Q3 2017 Q4 2017 Q1 2018 Q2 2018
469% and a 345% Spike in Suspicious Applications and Social Media Profiles
(respectively) in Q4 2017
One of the interesting trends we observed over the past year is a spike in new fake apps and social media profiles
created in Q4 2017. October through December are hot months for retailers. Chinese Singles Day, Black Friday, Cyber
Monday, and the culmination of December’s holiday season provide hackers with increased opportunity to scam
unknowing users. We suspect this spike in activity is a result of cybercriminals trying to profit off of holiday cyber
scams.
As we head into the 2018 holiday season, retailers need to be aware of how cybercriminals run their scams, and social
media and fake mobile apps are common attack vector.
Average of 22.1 Internal Login Pages or Development Servers Exposed Per Retail
Company in 2018
To prevent against unauthorized access and breaches, you need to lock down the different access points into your
network. Internal login pages and development servers are often misconfigured, providing cybercriminals with a portal
into the retailer’s internal network.
So far in 2018, we’ve seen an average of 22.1 internal login pages or DevOps servers exposed to the web per retail
company. These pages are often set up by employees without the involvement of the security team, and therefore pose
a risk of exposing sensitive data. The potential damage of an exposed or easily accessible database is severe, and
there are numerous examples of customer data that was leaked simply due to misconfiguration of the page settings.
Even if the leak did not contain any financial data (such as a marketing database), it can still be used to send focused
phishing emails with relevant and accurate information, or simply be sold in the dark web for a quick profit.
]
Automotive 1.1%
Food 1.0%
Safer Than
Average
Jewelry & Watches 0.3%
]
Health & Beauty 0.1%
Electronics 1.8%
Travel 3.1%
Riskier Than
Average
Fashion 4.2%
Gift Cards 9.0%
Tickets 12.2%
Italy 2.5%
Spain 2.4%
Russia 2.3%
Safer Than Average
United Kingdom 1.9%
France 1.3%
South Korea 1.2%
Canada 1.1%
Japan 1.1%
Germany 0.7%
China 0.6%
Australia 0.5%
Riskier Than Average
Some of the riskier countries in the list (Mexico, Brazil, India) are known to have companies with weaker cybersecurity
measures in place. This is why we see an increased level of fraud activity in these regions, because threat actors like to
attack weak targets, even on a global scale.
Here are a few reasons why the Retail sector is such an attractive target for threat actors:
1. Ease of Fraud: You order online with a stolen credit card and get the goods to your doorstep. One
site didn’t work? You can always keep going until you find one that does. The stolen card you’re
using didn’t work? You can just request a refund from the black market vendor you got it from (yes,
this is a real option). All of this can take place from the comfort of your own home.
2. Weak Security: Retailers don’t invest enough in protecting their online operation, and there are
less regulations to mandate retailers to do so (compared to industries like Financial Services and
Healthcare). Secure website development was never a retailer’s core business; their focus is on
ease of use, marketing and upselling. Be it physical security or cyber security, fraudsters are always
trying new tactics and approaches, making it difficult for merchants to keep up. Online shopping
has led to an explosion of new and diversified attack vectors.
3. Variety: From small to big, you have thousands of worldwide retailers, offering almost any type of
good you could be looking for. If one doesn’t work, you can always try another.
4. Low Risk, High Reward: Defrauding retailers is a very easy task. The sheer amount of transactions
means law enforcement can’t be involved in every stolen credit card identified. A rejected
transaction won’t amount to a police investigation, and a successful fraudulent transaction can
take weeks to months to be discovered when the digital trails are already cold. The technical ease
with which you mask the origin of a transaction is also in play. For example, when an order in a
retail site comes from a Colombian IP with a French credit card ordering from an American retailer
to an address in Russia, the chances of being caught by law enforcement decrease significantly.
5. Status Symbols: A lot of hackers feel that the goods they obtain through fraud is a direct reflection
of their skills. Therefore, they value expensive or limited items, like the latest computer hardware,
expensive clothes, watches, computer games, or even vacations. These goods are considered a
status symbol among hackers and are all part of the luxuries of the lucrative hacker life.
The Retail sector is vast and contains vendors of all shapes and sizes. eCommerce and online shopping has
grown exponentially in recent years, and the threats grow with them. Without intelligence and visibility into
these evolving threats, threat actors will continue to successfully scam you and your customers out of millions
of dollars each year.
For 2018, Riskified estimates that eCommerce merchants will pay a total of $42 billion in chargebacks. That’s a huge
number. But it’s dwarfed by the $165 billion that they’ll lose on unnecessarily declined orders. These false declines are
missed sales that could have easily been captured, meaning that merchants sacrificed revenue and squandered the
marketing spend that first attracted them. But the problem is even larger. Those declined customers are unlikely to
return, so a lifetime of value has been lost.
It doesn’t have to be this way. Fraud prevention has taken a major step forward in the last five years. Riskified uses
machine-learning technology to review and approve far more orders - instantly - than merchants using legacy solutions
do. Riskified is typically able to safely approve 30-70% of orders that merchants would have declined without adding
friction to the customer’s checkout process. It means more approved orders for happier customers and gives merchants
the ability to scale seamlessly.
As an example of data, consider a physical good purchase compared with a digital good. Take that same coffee table
and compare it to someone buying a plane ticket. The coffee table has a billing and shipping address, and they’re very
likely to match. It’s also very likely that the IP address from which the shopper placed the order is the same or very
close to those billing and shipping addresses. People don’t usually buy coffee tables while out and about. A plane ticket
is the opposite. It has no shipping address. International credit cards are quite common and purchasing on a mobile
device from an unfamiliar location makes complete sense. That makes it much more difficult for the airline or online
travel agency to evaluate the purchase.
Some industries bring multiple challenges into the equation. Travel, for sure, is one of those. But consider digital tickets
for events. Those are often purchased on the go, at the last minute, have no shipping address and are easily resold.
That’s a great package for a fraudster. Or consider digital gift cards. They make a great last-minute gift, require no
shipping address, are extremely easy to resell and the email address likely shouldn’t match the buyer’s. Industries with
those types of challenges have to be very smart about how they approach approving orders.
At first glance, it seems there are no differences between small and big retailers. Fraud is fraud, and it doesn’t matter
who it happens to. Threat actors can try multiple avenues of attack and will use the method that worked best for them.
But on a second look, there are some differences that matter.
Fulfillment
Firstly, the attack surface of bigger retailers is much wider. If small retailers have only several methods of fulfillment,
bigger retailers have numerous fulfillment methods.
For example, “buy online, pickup in store” (BOPIS) has become a very important fulfillment channel for larger
merchants. They’re taking advantage of their physical presences to offer a service that their online-only competitors
can’t. It’s a very powerful differentiator. It’s also, unfortunately, one that is increasingly targeted for fraud. As recently
as a year ago, Riskified was telling merchants that “BOPIS” was a safe channel for them, and it was true! However,
recently we’re seeing huge growth in the rates of BOPIS fraud attacks.
Small vendors do appear in dark web chatter, but they will usually be mentioned as already being hacked or as an easy
target for fraud. As defense systems gets better, attackers like to work in bulk and won’t invest in building custom tools
for small retailers. But some malware types (for example, POS malware) are designed to infect any vulnerable retailer
without discrepancy. In these attacks, they will usually target small retailers, who have minimal security and are unable
to respond quickly to new exploits and vulnerabilities that arises. Hackers won’t talk about every small retail chain they
hack, but they will offer the data stolen for sale, and news about the hack will arise later.
When talking about targeting and reconnaissance, we need to separate behind-the-scenes hacker activity
from their upfront dark web activity. Hackers work to penetrate retailers all the time, be it with malware, a
vulnerability or a malicious JavaScript. Most of these actions are not documented on dark web forums and
take place behind the scenes.
The data obtained from these actions will then find itself in on the dark web, either in black markets, credit
cards shops, and/or PII shops. Sometimes the malware itself is offered for sale, or a technique for how
to defraud a certain retailer, but not all methods are exposed, as hackers like to keep their cards (no pun
intended) close to their chest.
So, how is the dark web used when targeting retailers? We can divide the interest into a couple of categories:
1. Data Breaches / Databases: This usually involves information leaked from previous hacks which is up for
sale. This information can be sold in a variety of packages and types, including in bulk, or one by one, credit
data, or just personal information, confidential documents, business secrets and more. Every piece of data
that was stolen in a breach can and will be sold for profit.
2. Fraud/Scam Tools and Techniques: As with every community, people like to share. Hackers share tools,
methods, interesting findings, vulnerabilities, admin credentials, or just boast about their latest fraud
achievement. Tools and techniques can be shared for free or sold for profit. The reality of fraud is first come
– first served. The inventors of tools and techniques gets the first piece of the cake, and lower level hackers
gets leftovers and are often left to discover that some tools and techniques no longer work.
3. Fake Accounts & Phishing: The most common way today to steal information is through phishing. Social
engineering will continue to work as long as humans are involved, meaning – indefinitely. Although phishing
activity is mostly behind the scenes, as hacker groups won’t publish their attack destinations upfront, some
of the activity will find its way to dark web forums, and the stolen data will definitely be offered for sale.
4. Malware & Botnets: Malware is another behind-the-scenes activity that isn’t always published on the dark
web. This is not to say that there isn’t any malware intended to target retailers, but rather, the product of
the malware—credit cards, personal details, company data—occupies a far wider part of dark web chatter.
As for botnets, these are common, as they offer a simple management console that requires minimal
understanding and can garner high profits in a short time, usually when deployed against an inadequately
defended retailer.
The attack surface of retailers ranges from physical fraud to a variety of cyber threats targeting either the company
directly or its customers and/or brand credibility. Each threat poses a security risk of its own and adds another vector
that retailers must protect against. Between stolen credit cards, hacked user accounts, and fraudulent transactions,
retailers have a steadily growing and constantly changing attack surface, making it difficult to defend against new
cyber threats.
The methods to obtain credit card details are vast. Small-time hackers obtain credit cards for their own use, big-time
players obtain cards in order to sell them on black markets to small/medium players. Here is an unexhaustive list of
methods for obtaining credit cards:
1. Phishing Websites: One of the most common ways to get credit card data is to set up a phishing website
that pretends to be a legitimate online shop.
2. Point of Sale (POS) Malware: Infecting POS machines of unsuspecting retail chains and siphoning every
credit card that’s being swiped in them can generate hundreds to thousands of credit card number per day.
3. ATM Skimmers: Similar to POS malware, these physical card readers can copy the data of every card
entered at the ATM and send it to a hacker’s server.
4. Malicious Apps: Either by mimicking a popular bank app or by keylogging within a legitimate app,
malicious apps are a very prolific way to get credit card and bank data.
5. Trojan Malware: This involves infecting a computer with keylogging and/or screenshot-taking programs
that monitor activity on bank or credit company websites.
6. Social Engineering: This can be a fake bank support call, a SMS message (smishing) that leads to a
phishing site, a tax return request, or a fake job proposal. Social engineering is very hard to mitigate as it
depends on a person’s voluntary action, which is hard to anticipate and defend against.
7. Black Markets: Fraudsters needn’t also be hackers. For some, it’s as easy as going to black markets and
buying a bunch of stolen credit cards. They’ll cost anywhere from $1 to $20 each, depending on the quality
and freshness of the card (Figure 1).
Fraudsters use stolen credit cards or compromised accounts of merchants with a physical store either near them
or their “customer.” They then place the order and select quick BOPIS fulfillment. They then either pay “mules” a
reasonable fee to pick up and reship the goods, pick up the items themselves (perhaps with a fake ID) or direct their
“customers” to retrieve their purchases.
You might think this method would pose a larger risk to fraudsters, as it requires them to physically visit the location
to pick up the item. However, the goal of BOPIS is to give customers access to their goods faster, meaning there is
less time to identify a fraudulent transaction. BOPIS fulfillment can be as short as one hour, and fraudsters try to take
advantage of this quick turnaround to pick up their goods before the fraud is identified. Additionally, they’re picking up
items from store associates who often aren’t trained in loss prevention and want to make their customers happy.
A quickly made fake ID may be more than enough to overcome any attempt to verify the customer.
We’ve seen plenty of evidence that legitimate shoppers really appreciate these omnichannel flows. That’s part of why
smart fraud prevention is so important. Merchants with physical locations should absolutely take advantage of them
to differentiate from online-only merchants, but they have to implement these flows in a smart way. Methods that add
friction or unnecessarily block good customers negate the good that these offerings can do and put merchants back in
the same spot.
Fraudsters recognize the potential of using a compromised account because it’s less risky and they don’t need to use a
stolen credit card to make purchases. Having the account information makes them look more like a good shopper and
increases the likelihood of success. These fraudsters may also take advantage of loyalty accounts to redeem reward
points or miles without needing additional credit card information.
These types of attacks are both particularly hard to detect and very damaging. Detection requires smart systems and
an ability to verify the customer before he or she reaches the checkout phase. Finding the right balance between low
friction and high security can be difficult. But it’s extremely important, because a compromised account will seriously
hamper customer satisfaction. Shoppers whose accounts are hacked are likely to be very unhappy, blaming the
merchant and possibly voicing that dissatisfaction to friends or through social media. Tracking the selling of these
accounts in black markets can stop the fraud attempt before it launches and alert the client to his breached account
before its being used.
Fortunately, Riskified’s solution can detect bots and halt their ability to place orders. In addition, IntSights can help find
and track the sources from which these attacks originate (Figure 6).
Admin Credentials
Admin credentials are another popular dark web commodity. These credentials are sold with admin privileges to
company assets, which can be used in a variety of ways:
1. Hacking a Company Website: When you have access to edit and modify a retail website, there’s no limit
to what can be done. Hackers often use these credentials to implement and advertise their stolen products
on the company’s real website, which allows their goods to be sold in higher volumes, something that
black markets do not allow. The product may or may not be delivered, depending on the hacker’s intention.
Hackers can also install malware on the website to harvest credit card data from unsuspecting buyers.
2. Hacking Corporate Systems: We have seen hackers selling credentials to internal servers, especially ones
that have a connection to POS machines, allowing other hackers to install malware on them and skim credit
card data. Hackers also look for admin credentials as a general attack vector to get a foothold in a retailer
network to monitor activity and identify new fraud methods.
1. Merchants will leverage new omni-channel flows, and fraudsters will exploit them. New buying
options like mobile purchases in store, delivering goods to an idling vehicle, and last-mile
delivery by store employees will allow merchants to take advantage of their physical presences,
and fraudsters will do the same.
2. Phishing will continue to enable and fuel retail fraud. Whether it’s directed at customers or
employees, the human factor is nearly impossible to mitigate, and we’ll keep seeing these types
of attacks rise, enabling fraud to take place.
3. Account takeover attacks will be a huge vector for fraudsters, and we’ll start to see media
coverage of new repercussions of those attacks, such as reward points and miles being stolen
and spent.
4. Automation of fraud tools will intensify. When money is involved, volume is the name of the
game, and buying bots and malicious scripts are just the beginning. More tools for automatic
fraud techniques will appear from advanced hackers, and will be sold in black markets,
enabling novice hackers to carry out similar techniques that will keep fraud on the rise.
Recommendations
While you can never reduce fraud completely, you can certainly minimize it. In addition, responding to fraud
appropriately can save even more money each year on the soft costs of fraud. Here are our recommendations for how
retailers and eCommerce organizations should monitor for and respond to cyber fraud.
1. Monitor Social Media: Many scams start on social media. Search for your brand’s name or original
products, and you’ll be surprised to see who offers those products on your behalf. Make sure you have a
process in place to monitor social media sites for fake accounts, unauthorized product advertisements and
phishing scams.
2. Publicize Your Contact Channels: A large portion of social engineering and phishing attacks rely on the
victim’s unfamiliarity. Regularly updating customers on the appropriate channels to contact and engage
with your company, like web channels, social media and customer support lines, can reduce the risk of
fake account directing them elsewhere. Moreover, it’ll will help you inventory your different communication
channels, as some big retailers are unaware of or have neglected their own channels, which can be hacked
and used against them
3. Monitor the Dark Web for New Hacker Tools: Knowing which tools are sold and used to target you can
help you put the appropriate security measures in place to mitigate and stop the attacks before any fraud
is committed. For example, identifying a gift card generator for your company allows you to change your
algorithm or renew your codes to stop future fraudulent purchases. But these generators often only appear
on the dark web, so you can’t spot them if you’re not monitoring dark web forums and black markets.
4. Watch Your Retail Website Carefully: Monitor your website(s) constantly for any changes, especially
to pages that require any credit or personal details. Tightly control the credentials to edit your sites, and
carefully manage the list of personnel authorized to make changes to the site.
5. Control and Limit Access to Databases: Customer data is used by many different departments, and it’s
important that they have access to this data to perform their functions efficiently. But increased access
means increased risk. Make sure to secure and control access to company databases using multi-factor
authentication or other advanced solutions. Limit access to databases to relevant people only, and block
or tightly control access to online databases with sensitive material. Lastly, ensure that web-based internal
pages are configured and secured properly so they don’t expose confidential information. Too often data is
leaked simply due to user error in the configuration process.
1. Remove Static or Rules-based Filters and Blacklists: Too many merchants completely block
certain order segments or geographies, unnecessarily reducing revenue without providing much
security. Additionally, payment gateways often activate fraud filters that prevent merchants from
even seeing certain orders. Merchants should eliminate these practices on their end and confirm
with their payment gateway that these filters are not active.
2. Don’t Rely Solely on Matches When Evaluating Orders: There are many reasons that a good
order would have an AVS mismatch, billing/shipping address mismatch or other data mismatch due
to international orders. Using mismatches alone in making decisions will lead to lost revenue.
3. Be Careful of Adding Friction: Some industries and some situations may require a low-friction
means of verification, such as an SMS confirmation if you’re concerned about an account-takeover
attack. But adding too much friction is a problem. Customers abandon carts if the order process
gets too cumbersome, so view additional friction as one of your last lines of defense.
4. Look for a Fraud Solution that Scales with You: Many merchants rely on manual review, which
can mean seasonal hiring and slow expansion. Being able to sell whenever and wherever is key to
growth, so select a fraud solution that can grow with you based on seasonality, fads and consumer
buying cycles.
5. Adjust Your Fraud Approach to Fit how Your Customers Shop: If you sell to a younger audience,
then you probably have a lot of mobile orders. Make sure you’re developing your fraud-detection
process with that in mind. If you’re in a very competitive industry, then recognize that you should
work with customer experience in mind. Learn your customers and make your fraud prevention fit
them rather than vice versa.
Contributions
About Riskified
Riskified improves global eCommerce for merchants and consumers. The world’s largest brands - from airlines to luxury fashion
houses to gift card marketplaces - trust us to increase revenue, manage risk and improve their customer interactions. Inefficient
eCommerce fraud prevention and unnecessarily declined orders cost businesses billions in chargebacks, overhead and missed
sales. Riskified uses powerful machine-learning algorithms to recognize good orders and weed out bad with a 100% guarantee
against fraudulent chargebacks. Sell with confidence. Trust Riskified.
About IntSights
IntSights is redefining cyber security with the industry’s first and only enterprise threat management platform that
transforms tailored threat intelligence into automated security operations. Our ground-breaking data-mining algorithms
and unique machine learning capabilities continuously monitor an enterprise’s external digital profile across the
surface, deep and dark web, categorize and analyze tens of thousands of threats, and automate the risk remediation
lifecycle — streamlining workflows, maximizing resources and securing business operations. This has made IntSights’
one of the fastest growing cyber security companies in the world. IntSights has offices in Tel Aviv, Amsterdam, New York
and Dallas and is backed by Glilot Capital Partners, Blumberg Capital, Blackstone, Tola Capital and Wipro Ventures.