T h re a t I n t e l l i g e n c e R e a l i z e d .

JOINT RESEARCH BY:

Threat Intelligence Realized.

 T h re a t I n t e l l i g e n c e R e a l i z e d .

Introduction
Over the past few years, online shopping has grown significantly, making it extremely easy to
order anything you like, whenever you like, to wherever you like. Technology has made it more
convenient for us to purchase goods, and threat actors are no exception. This growth in online
shopping, combined with the explosion of compromised financial data available, is why the
retail and eCommerce industries are some of the most targeted sectors in the Dark Web. The
ease with which you can commit fraud these days and get goods delivered to your doorstep
with little to no risk, is just too appealing to overlook.

If you’re an eCommerce merchant, you already know that fraud is a fact of life. eCommerce
fraud nets its perpetrators tens of billions of dollars each year, and there’s no sign of it slowing
down. For retailers, fraud falls somewhere between “inconvenience” and “crippling.” No matter
the magnitude of fraud you face, failing to prepare adequately can leave merchants with huge
financial losses. But it’s not just the direct fraud costs that hurt merchants. Contrary to popular
belief, more money is lost managing fraudulent purchases than is actually lost to chargebacks.
Fraud puts a lot of strain on customer support teams, hinders the ability to scale or expand
internationally and leads to unhappy customers (aka brand reputation damage). These costs
can be far more damaging, so organizations need to make sure they’re managing the fraud
process efficiently, while working to identify fraud attempts early.

Most online retail fraud follows a simple 2-step process:

1. Get a stolen credit card.

2. Order goods from a retailer.

From there, it’s only a question of abilities and scale. Retail fraudsters range from your
average neighborhood whiz kid who uses a stolen credit card to order the new Call of Duty,
to organized crime groups that buy digital goods as a money laundering tactic. Retailers of
all sizes are getting hit. From your local pizza shop to huge retail conglomerates, fraud affects
every company that sells products, services, or goods online. It’s important that organizations
understand the latest fraud and cyber scam tactics so they can identify fraud early and respond
appropriately.

In this research report, IntSights and Riskified will show the scope and severity of the current
threat and fraud landscape for retailers. We will share key research findings and common
examples of retail fraud and show how fraudsters commonly target retailers using their digital
assets and the dark web. Additionally, we will explore the latest threats to the retail sector, such
as tools, techniques and real-life examples, and we will close with our predictions for 2019.

2 Retail & eCommerceThreat Landscape Report | October 2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

Methodology
This research looks at retail fraud from two sides of the problem, trends in stolen financial data, and trends in fraud
methods and frequency. Both IntSights and Riskified have large pools of threat data and research, which we have
combined to provide a wide view into the threat landscape of the retail and eCommerce sectors.

IntSights analyzed threat data from over 20 retail customers of various sizes from Q3 2017 to Q3 2018
Riskified used its data gathered from millions of transactions to help understand the global scale of fraud. IntSights and
Riskified combined their data to identify key trends in fraud and cybersecurity threats facing the retail and eCommerce
industry, and to highlight which threats and vectors pose the largest risk.

Key Research Findings

Retail Goods for Sale on Black Markets

1600
1400
1485
1200
1000
800
1082
600
400
448
200 286
0
Q4 2017 Q1 2018 Q2 2018 Q3 2018

278% Rise in Retail Goods for Sale on Black Markets

Over the past year, we’ve seen a 278% increase in retail goods available on dark web black markets. These goods
are specific to the retailers tracked in our research, they do not include illegal goods (e.g. drugs and weapons). This
shows that the ecosystem for illegally obtaining and purchasing retail goods is growing rapidly, both in terms of variety
and quantity. These goods can be obtained through a variety of methods. They could be physically stolen, fraudulently
purchased online with stolen credit cards as singles or in bulk through the use of bots and automated hacking tools.

As credit card fraud becomes harder for small time fraudsters, more-sophisticated fraudsters use bots to automatically
order large quantities of online goods from retailers and then sell it in dark web markets at a fraction of the original price.

This trend is expected to keep rising, as it is hard to prevent and poses little to no risk for the hacker, who only needs a
fraction of their transactions to succeed in order to net a big profit.

3 Retail & eCommerce Threat Landscape Report | October 2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

Retail Phishing Websites

500

484
400 473
300
340
200

100 119
0
Q4 2017 Q1 2018 Q2 2018 Q3 2018

297% Rise in Retail Phishing Websites

Our data shows a significant rise in the number of retail phishing websites. It’s no surprise that phishing is increasing, as
it’s a proven, effective method for gathering credit card information. What’s interesting is the rate at which new phishing
sites are being created. Cyber intelligence services have become much better at identifying phishing sites quickly.
Therefore, cybercriminals need to create new sites even faster to avoid detection and takedown. Phishing sites that
used to be live for weeks, now are only live for days or even hours, thus raising the overall number of phishing sites.

In Q3 2018, we’re seeing an average of 23.6 new phishing

sites per company per quarter. That’s roughly 2 new dedicated
phishing sites created each week per company. This is a
significant increase from Q4 2017, when the rate was 5.95 new
phishing sites per company, translating to roughly 1 site every
two weeks. With this increase in phishing sites, organizations
need a process in place to quickly identify and take down
malicious sites that may be trying to phish employees or
customers.

Phishing is one of the easiest and most efficient ways to get

a constant stream of stolen credit cards. Whether it’s through
email, Smishing (SMS text), Twitter, Facebook, WhatsApp or
messenger messages, the delivery options are endless, and so
are the number of retailers available to impersonate online. Lure
people to a phishing site with a familiar or too-good-to-be-true
offer, and they will voluntarily give you their credit card details.
Human error can never be mitigated completely, which is why
phishing is one of the top threats to the retail sector. Figure 1: Retail item for sale on a black market

4 Retail & eCommerce Threat Landscape Report | October 2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

Suspicious Social Media Profiles and Applications

9000
8000
7000 7550
6000
5000 5839
4000
3000 1695
2994 2938
2000
1000 1027 1599
823
0
Q3 2017 Q4 2017 Q1 2018 Q2 2018

Suspicious Applications Suspicious Social Media Profiles

469% and a 345% Spike in Suspicious Applications and Social Media Profiles
(respectively) in Q4 2017
One of the interesting trends we observed over the past year is a spike in new fake apps and social media profiles
created in Q4 2017. October through December are hot months for retailers. Chinese Singles Day, Black Friday, Cyber
Monday, and the culmination of December’s holiday season provide hackers with increased opportunity to scam
unknowing users. We suspect this spike in activity is a result of cybercriminals trying to profit off of holiday cyber
scams.

As we head into the 2018 holiday season, retailers need to be aware of how cybercriminals run their scams, and social
media and fake mobile apps are common attack vector.

Average of 22.1 Internal Login Pages or Development Servers Exposed Per Retail
Company in 2018
To prevent against unauthorized access and breaches, you need to lock down the different access points into your
network. Internal login pages and development servers are often misconfigured, providing cybercriminals with a portal
into the retailer’s internal network.

So far in 2018, we’ve seen an average of 22.1 internal login pages or DevOps servers exposed to the web per retail
company. These pages are often set up by employees without the involvement of the security team, and therefore pose
a risk of exposing sensitive data. The potential damage of an exposed or easily accessible database is severe, and
there are numerous examples of customer data that was leaked simply due to misconfiguration of the page settings.
Even if the leak did not contain any financial data (such as a marketing database), it can still be used to send focused
phishing emails with relevant and accurate information, or simply be sold in the dark web for a quick profit.

5 Retail & eCommerce Threat Landscape Report | October 2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

Fraud Statistics (by Sub-Sector)

There are a number of characteristics that impact the cyber risk level of various retail sub-categories. For example, if
there is a big secondary market for a good, it makes it easier for cybercriminals to resell for profit. In addition, digital
goods (e.g. tickets, gift cards) are easier to distribute than physical goods. Here is how key retail sub-categories
compare to each other when it comes to cyber fraud.

]
Automotive 1.1%
Food 1.0%

Safer Than
Average
Jewelry & Watches 0.3%

]
Health & Beauty 0.1%
Electronics 1.8%
Travel 3.1%

Riskier Than
Average
Fashion 4.2%
Gift Cards 9.0%
Tickets 12.2%

Fraud Statistics (by Country)

Countries also have varying levels of retail fraud activity. Here is how countries with the largest retail activity compare to
each other when it comes to retail fraud.

Italy 2.5%
Spain 2.4%
Russia 2.3%
Safer Than Average
United Kingdom 1.9%
France 1.3%
South Korea 1.2%
Canada 1.1%
Japan 1.1%
Germany 0.7%
China 0.6%
Australia 0.5%
Riskier Than Average

United States 0.5%

India 1.9%
Mexico 10.4%
Brazil 24.9%

Some of the riskier countries in the list (Mexico, Brazil, India) are known to have companies with weaker cybersecurity
measures in place. This is why we see an increased level of fraud activity in these regions, because threat actors like to
attack weak targets, even on a global scale.

6 Retail & eCommerce Threat Landscape Report | October 2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

Factors Impacting Retail Fraud

Why Retailers are Such Attractive Targets
Targeting the retail sector is nothing new for criminals. Fraud, scams, hacks, or plain-old theft have always
been challenges that shops and merchants have to deal with. But with the advent of eCommerce came the
cyber risks, and they are a lot riskier than their real-world counterparts.

Here are a few reasons why the Retail sector is such an attractive target for threat actors:

1. Ease of Fraud: You order online with a stolen credit card and get the goods to your doorstep. One
site didn’t work? You can always keep going until you find one that does. The stolen card you’re
using didn’t work? You can just request a refund from the black market vendor you got it from (yes,
this is a real option). All of this can take place from the comfort of your own home.

2. Weak Security: Retailers don’t invest enough in protecting their online operation, and there are
less regulations to mandate retailers to do so (compared to industries like Financial Services and
Healthcare). Secure website development was never a retailer’s core business; their focus is on
ease of use, marketing and upselling. Be it physical security or cyber security, fraudsters are always
trying new tactics and approaches, making it difficult for merchants to keep up. Online shopping
has led to an explosion of new and diversified attack vectors.

3. Variety: From small to big, you have thousands of worldwide retailers, offering almost any type of
good you could be looking for. If one doesn’t work, you can always try another.

4. Low Risk, High Reward: Defrauding retailers is a very easy task. The sheer amount of transactions
means law enforcement can’t be involved in every stolen credit card identified. A rejected
transaction won’t amount to a police investigation, and a successful fraudulent transaction can
take weeks to months to be discovered when the digital trails are already cold. The technical ease
with which you mask the origin of a transaction is also in play. For example, when an order in a
retail site comes from a Colombian IP with a French credit card ordering from an American retailer
to an address in Russia, the chances of being caught by law enforcement decrease significantly.

5. Status Symbols: A lot of hackers feel that the goods they obtain through fraud is a direct reflection
of their skills. Therefore, they value expensive or limited items, like the latest computer hardware,
expensive clothes, watches, computer games, or even vacations. These goods are considered a
status symbol among hackers and are all part of the luxuries of the lucrative hacker life.

The Retail sector is vast and contains vendors of all shapes and sizes. eCommerce and online shopping has
grown exponentially in recent years, and the threats grow with them. Without intelligence and visibility into
these evolving threats, threat actors will continue to successfully scam you and your customers out of millions
of dollars each year.

7 Retail & eCommerceThreat Landscape Report | October 2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

Hard vs. Soft Costs of Fraud

Fraud prevention is a daunting task, every merchant knows that. Most merchants decide that a cautious approach to
transaction approval is the smartest way to go. It’s an understandable inclination, but it’s the wrong approach. Income
lost to chargebacks is hard to stomach, but it’s the unseen losses that are far costlier.

For 2018, Riskified estimates that eCommerce merchants will pay a total of $42 billion in chargebacks. That’s a huge
number. But it’s dwarfed by the $165 billion that they’ll lose on unnecessarily declined orders. These false declines are
missed sales that could have easily been captured, meaning that merchants sacrificed revenue and squandered the
marketing spend that first attracted them. But the problem is even larger. Those declined customers are unlikely to
return, so a lifetime of value has been lost.

It doesn’t have to be this way. Fraud prevention has taken a major step forward in the last five years. Riskified uses
machine-learning technology to review and approve far more orders - instantly - than merchants using legacy solutions
do. Riskified is typically able to safely approve 30-70% of orders that merchants would have declined without adding
friction to the customer’s checkout process. It means more approved orders for happier customers and gives merchants
the ability to scale seamlessly.

Retail Sub-Category Implications

There’s a huge variance in how merchants face fraud depending on their industry. Some important things to keep in
mind are the ease with which a fraudster can resell the goods, and the time and data that the merchant has to evaluate
purchases. As an example of ease of resale, consider a pair of rare, expensive sneakers compared to, say, a coffee
table. Sneakers have a big secondary market, passionate fans, and they’re relatively easy to ship. Furniture lacks all
of those (except maybe the passionate fans). So, sneakers are a much better target for fraudsters, and we see much
higher rates of attempted fraud there.

As an example of data, consider a physical good purchase compared with a digital good. Take that same coffee table
and compare it to someone buying a plane ticket. The coffee table has a billing and shipping address, and they’re very
likely to match. It’s also very likely that the IP address from which the shopper placed the order is the same or very
close to those billing and shipping addresses. People don’t usually buy coffee tables while out and about. A plane ticket
is the opposite. It has no shipping address. International credit cards are quite common and purchasing on a mobile
device from an unfamiliar location makes complete sense. That makes it much more difficult for the airline or online
travel agency to evaluate the purchase.

Some industries bring multiple challenges into the equation. Travel, for sure, is one of those. But consider digital tickets
for events. Those are often purchased on the go, at the last minute, have no shipping address and are easily resold.
That’s a great package for a fraudster. Or consider digital gift cards. They make a great last-minute gift, require no
shipping address, are extremely easy to resell and the email address likely shouldn’t match the buyer’s. Industries with
those types of challenges have to be very smart about how they approach approving orders.

8 Retail & eCommerce Threat Landscape Report | October 2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

Retailer Size Implications

The retail sector is vast, and encompasses very different vendors that differ in size, local or worldwide deployment,
physical or virtual presence, fulfillment options and type of goods. Clothing or furniture, jewelry or electronics, tickets or
travel – the variety is endless. To define retail today, it’s safe to say that if you can pay for it with a credit card online, it’s
part of the retail sector.

At first glance, it seems there are no differences between small and big retailers. Fraud is fraud, and it doesn’t matter
who it happens to. Threat actors can try multiple avenues of attack and will use the method that worked best for them.
But on a second look, there are some differences that matter.

Fulfillment
Firstly, the attack surface of bigger retailers is much wider. If small retailers have only several methods of fulfillment,
bigger retailers have numerous fulfillment methods.

For example, “buy online, pickup in store” (BOPIS) has become a very important fulfillment channel for larger
merchants. They’re taking advantage of their physical presences to offer a service that their online-only competitors
can’t. It’s a very powerful differentiator. It’s also, unfortunately, one that is increasingly targeted for fraud. As recently
as a year ago, Riskified was telling merchants that “BOPIS” was a safe channel for them, and it was true! However,
recently we’re seeing huge growth in the rates of BOPIS fraud attacks.

Threat Actor Targeting

Secondly, we also see a big difference in dark web intelligence and target selection. We see more specific discussions
and scamming methods that target big retailers using gift card generators, discount codes, hacked user accounts with
balances, email brute force tools and more. We will cover more of these tools later on.

Small vendors do appear in dark web chatter, but they will usually be mentioned as already being hacked or as an easy
target for fraud. As defense systems gets better, attackers like to work in bulk and won’t invest in building custom tools
for small retailers. But some malware types (for example, POS malware) are designed to infect any vulnerable retailer
without discrepancy. In these attacks, they will usually target small retailers, who have minimal security and are unable
to respond quickly to new exploits and vulnerabilities that arises. Hackers won’t talk about every small retail chain they
hack, but they will offer the data stolen for sale, and news about the hack will arise later.

9 Retail & eCommerce Threat Landscape Report | October 2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

Behind the Scenes of Retail Fraud

In this section, we go behind the scenes of a retail cyber attack and demonstrate how hackers target, plan,
breach, sell and use data to commit fraud against retailers.

Initial Reconnaissance and Retailer Targeting

Every attack starts with a motive and a target. Before they launch into an attack, hackers perform
reconnaissance on their targets and test out where their weak spots might be. When it comes to committing
retail fraud, the motive is almost always financial, so the goal is almost always to steal or create something
that can be sold or used to make money.

When talking about targeting and reconnaissance, we need to separate behind-the-scenes hacker activity
from their upfront dark web activity. Hackers work to penetrate retailers all the time, be it with malware, a
vulnerability or a malicious JavaScript. Most of these actions are not documented on dark web forums and
take place behind the scenes.

The data obtained from these actions will then find itself in on the dark web, either in black markets, credit
cards shops, and/or PII shops. Sometimes the malware itself is offered for sale, or a technique for how
to defraud a certain retailer, but not all methods are exposed, as hackers like to keep their cards (no pun
intended) close to their chest.

10 Retail & eCommerceThreat Landscape Report | October 2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

So, how is the dark web used when targeting retailers? We can divide the interest into a couple of categories:

1. Data Breaches / Databases: This usually involves information leaked from previous hacks which is up for
sale. This information can be sold in a variety of packages and types, including in bulk, or one by one, credit
data, or just personal information, confidential documents, business secrets and more. Every piece of data
that was stolen in a breach can and will be sold for profit.

2. Fraud/Scam Tools and Techniques: As with every community, people like to share. Hackers share tools,
methods, interesting findings, vulnerabilities, admin credentials, or just boast about their latest fraud
achievement. Tools and techniques can be shared for free or sold for profit. The reality of fraud is first come
– first served. The inventors of tools and techniques gets the first piece of the cake, and lower level hackers
gets leftovers and are often left to discover that some tools and techniques no longer work.

3. Fake Accounts & Phishing: The most common way today to steal information is through phishing. Social
engineering will continue to work as long as humans are involved, meaning – indefinitely. Although phishing
activity is mostly behind the scenes, as hacker groups won’t publish their attack destinations upfront, some
of the activity will find its way to dark web forums, and the stolen data will definitely be offered for sale.

4. Malware & Botnets: Malware is another behind-the-scenes activity that isn’t always published on the dark
web. This is not to say that there isn’t any malware intended to target retailers, but rather, the product of
the malware—credit cards, personal details, company data—occupies a far wider part of dark web chatter.
As for botnets, these are common, as they offer a simple management console that requires minimal
understanding and can garner high profits in a short time, usually when deployed against an inadequately
defended retailer.

The attack surface of retailers ranges from physical fraud to a variety of cyber threats targeting either the company
directly or its customers and/or brand credibility. Each threat poses a security risk of its own and adds another vector
that retailers must protect against. Between stolen credit cards, hacked user accounts, and fraudulent transactions,
retailers have a steadily growing and constantly changing attack surface, making it difficult to defend against new
cyber threats.

11 Retail & eCommerce Threat Landscape Report | October 2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

The Underground Credit Card Trade

Although credit card information is not issued by retailers, they often store this information, and tend to have weaker
security systems in place than financial companies. This makes retailers one of the most targeted groups for obtaining
credit card data. Once stolen, credit card data can be used in two ways: to fuel the trade of stolen credit card data on
the dark web, and to defraud the same organizations they originated from.

The methods to obtain credit card details are vast. Small-time hackers obtain credit cards for their own use, big-time
players obtain cards in order to sell them on black markets to small/medium players. Here is an unexhaustive list of
methods for obtaining credit cards:

1. Phishing Websites: One of the most common ways to get credit card data is to set up a phishing website
that pretends to be a legitimate online shop.

2. Point of Sale (POS) Malware: Infecting POS machines of unsuspecting retail chains and siphoning every
credit card that’s being swiped in them can generate hundreds to thousands of credit card number per day.

3. ATM Skimmers: Similar to POS malware, these physical card readers can copy the data of every card
entered at the ATM and send it to a hacker’s server.

4. Malicious Apps: Either by mimicking a popular bank app or by keylogging within a legitimate app,
malicious apps are a very prolific way to get credit card and bank data.

5. Trojan Malware: This involves infecting a computer with keylogging and/or screenshot-taking programs
that monitor activity on bank or credit company websites.

6. Social Engineering: This can be a fake bank support call, a SMS message (smishing) that leads to a
phishing site, a tax return request, or a fake job proposal. Social engineering is very hard to mitigate as it
depends on a person’s voluntary action, which is hard to anticipate and defend against.

7. Black Markets: Fraudsters needn’t also be hackers. For some, it’s as easy as going to black markets and
buying a bunch of stolen credit cards. They’ll cost anywhere from $1 to $20 each, depending on the quality
and freshness of the card (Figure 1).

12 Retail & eCommerce Threat Landscape Report | October 2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

Additional Fraud Tools

& Methods
We’ve mentioned some of these tools before, so here
are the latest and greatest tools and techniques to
target retailers that we’ve observed in our research:

Gift Card Generators and

Discount Codes
A common retail marketing strategy is to produce gift
cards or coupon codes to encourage sales. These
often consist of digital codes, which can be used to
purchase items online. However, these digital codes
are one of the main commodities traded on the dark
web. Who wouldn’t want a gift card with hundreds or
thousands of dollars to use on their favorite retailer’s
site? Better yet, you don’t even need to prove your
identity to use it!

Figure 2: Black market credit card retailer

In the past, most of the dark web gift card trade
focused on selling stolen gift cards that were obtained
from different sources. But over the past few years,
we’ve seen an evolution. Why steal gift cards one by
one, when you can hack into the company database to
steal in bulk? Even better, you can learn the retailer’s
algorithm for generating gift cards and create a key
generator that you can sell to the masses. This is
exactly what we’re seeing threat actors do (figure 2),
and it is costing retailers millions of dollars.

Here’s how it works: Every gift card uses

an ID number that ties back to an account in the
Figure 3: A gift card generator found on the dark web
retailer’s database. Gift card generators use a bot that
generates ID numbers, checks their validity against
public algorithms, and then finally checks to see if
they have a balance remaining. This type of scheme
can significantly eat into a company’s profits and also
damage brand reputation.

13 Retail & eCommerce Threat Landscape Report | October 2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

Buy Online, Pickup in Store (BOPIS) Fraud

This was covered earlier, but it bears repeating. BOPIS was a very safe channel not that long ago, but we’ve seen fraud
rates rapidly increase here. This is a classic pattern with fraud—where legitimate shoppers go, fraudsters follow.

Fraudsters use stolen credit cards or compromised accounts of merchants with a physical store either near them
or their “customer.” They then place the order and select quick BOPIS fulfillment. They then either pay “mules” a
reasonable fee to pick up and reship the goods, pick up the items themselves (perhaps with a fake ID) or direct their
“customers” to retrieve their purchases.

You might think this method would pose a larger risk to fraudsters, as it requires them to physically visit the location
to pick up the item. However, the goal of BOPIS is to give customers access to their goods faster, meaning there is
less time to identify a fraudulent transaction. BOPIS fulfillment can be as short as one hour, and fraudsters try to take
advantage of this quick turnaround to pick up their goods before the fraud is identified. Additionally, they’re picking up
items from store associates who often aren’t trained in loss prevention and want to make their customers happy.
A quickly made fake ID may be more than enough to overcome any attempt to verify the customer.

We’ve seen plenty of evidence that legitimate shoppers really appreciate these omnichannel flows. That’s part of why
smart fraud prevention is so important. Merchants with physical locations should absolutely take advantage of them
to differentiate from online-only merchants, but they have to implement these flows in a smart way. Methods that add
friction or unnecessarily block good customers negate the good that these offerings can do and put merchants back in
the same spot.

Account Takeover (ATO) Attacks

This type of attack has seen a huge increase in recent years. It involves hacking into real customer accounts with
pre-loaded balances or saved credit cards to purchase goods or transfer balances to another account.

Fraudsters recognize the potential of using a compromised account because it’s less risky and they don’t need to use a
stolen credit card to make purchases. Having the account information makes them look more like a good shopper and
increases the likelihood of success. These fraudsters may also take advantage of loyalty accounts to redeem reward
points or miles without needing additional credit card information.

These types of attacks are both particularly hard to detect and very damaging. Detection requires smart systems and
an ability to verify the customer before he or she reaches the checkout phase. Finding the right balance between low
friction and high security can be difficult. But it’s extremely important, because a compromised account will seriously
hamper customer satisfaction. Shoppers whose accounts are hacked are likely to be very unhappy, blaming the
merchant and possibly voicing that dissatisfaction to friends or through social media. Tracking the selling of these
accounts in black markets can stop the fraud attempt before it launches and alert the client to his breached account
before its being used.

14 Retail & eCommerce Threat Landscape Report | October 2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

Email Brute Force Tools

Hackers have developed tools that allow someone
to automatically validate and access retail accounts.
Simply input a list of emails into the tool, and it will
check on a retail site if these emails are valid accounts
on that site, and if they have a valid balance (figure 3).
From there, all you need is their password, which can
be obtained through brute force or other compromised
credentials, and you’re into their account!

Automatic SMS Verification

This service allows you to bypass the two-factor
authentication process that companies often use to
verify their users. Hackers have gained access to the
two-factor authentication process of numerous retail
sites, and offer to bypass the authentication for you for
as low as $0.50 per authentication. Instead of doing it
the old fashion way by purchasing a SIM card and a
burner phone, hackers are now able to use this service Figure 4: Account brute force tool

without the need for physical hardware.

Bots for Automatic Buying

This tactic is less frequent, but most damaging. Bots
are a logical evolution of online fraud. Instead of trying
out stolen credit or gift cards one by one on a site,
hackers let the bot do the work for them, placing
hundreds or thousands of orders in an hour. They
don’t need a high approval rate to be successful—the
volume takes care of that for them.

These bots, which can be developed on their own or

purchased online, allow cybercriminals to automatically
buy goods in large quantities on specific retail sites
using different cards. These items will later be sold in
online forums at a discounted price, continuing the
fraud cycle.

Figure 5: SMS verification service being advertised

in a black market

15 Retail & eCommerce Threat Landscape Report | October 2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

Fortunately, Riskified’s solution can detect bots and halt their ability to place orders. In addition, IntSights can help find
and track the sources from which these attacks originate (Figure 6).

Figure 6: Example of retail buying bot

Weaknesses in Retail Sites

Hackers love to share weaknesses, and retail shops are no exception. It’s common to see chatter about who’s got the
weakest authentication, which sites are vulnerable to the latest CVE, which sites do not validate its credit card details
or where can you bypass authentication altogether. These conversations occur at different experience levels, where
inexperienced hackers exchange data and simple tools, and advanced hackers share technical information that can be
exploited in more sophisticated and time-consuming ways.

16 Retail & eCommerce Threat Landscape Report | October 2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

Admin Credentials
Admin credentials are another popular dark web commodity. These credentials are sold with admin privileges to
company assets, which can be used in a variety of ways:

1. Hacking a Company Website: When you have access to edit and modify a retail website, there’s no limit
to what can be done. Hackers often use these credentials to implement and advertise their stolen products
on the company’s real website, which allows their goods to be sold in higher volumes, something that
black markets do not allow. The product may or may not be delivered, depending on the hacker’s intention.
Hackers can also install malware on the website to harvest credit card data from unsuspecting buyers.

2. Hacking Corporate Systems: We have seen hackers selling credentials to internal servers, especially ones
that have a connection to POS machines, allowing other hackers to install malware on them and skim credit
card data. Hackers also look for admin credentials as a general attack vector to get a foothold in a retailer
network to monitor activity and identify new fraud methods.

17 Retail & eCommerce Threat Landscape Report | October 2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

Predictions for 2019

It’s important to understand how trends and strategies will evolve so you can prepare your business
accordingly. As we head into 2019 and beyond, here is what we expect to take place and/or continue for
retail cyber fraud.

1. Merchants will leverage new omni-channel flows, and fraudsters will exploit them. New buying
options like mobile purchases in store, delivering goods to an idling vehicle, and last-mile
delivery by store employees will allow merchants to take advantage of their physical presences,
and fraudsters will do the same.

2. Phishing will continue to enable and fuel retail fraud. Whether it’s directed at customers or
employees, the human factor is nearly impossible to mitigate, and we’ll keep seeing these types
of attacks rise, enabling fraud to take place.

3. Account takeover attacks will be a huge vector for fraudsters, and we’ll start to see media
coverage of new repercussions of those attacks, such as reward points and miles being stolen
and spent.

4. Automation of fraud tools will intensify. When money is involved, volume is the name of the
game, and buying bots and malicious scripts are just the beginning. More tools for automatic
fraud techniques will appear from advanced hackers, and will be sold in black markets,
enabling novice hackers to carry out similar techniques that will keep fraud on the rise.

18 Retail & eCommerce Threat Landscape Report | October 2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

Recommendations
While you can never reduce fraud completely, you can certainly minimize it. In addition, responding to fraud
appropriately can save even more money each year on the soft costs of fraud. Here are our recommendations for how
retailers and eCommerce organizations should monitor for and respond to cyber fraud.

Proactive Dark Web Detection

For retailers, fraud is a familiar foe—but the cyber risks are rather new. Cyber fraud is an ever-changing landscape that
can be completely different from one month to the next. eCommerce is a critical part of retail strategy, but this presence
also attracts adversaries. That’s why retailers need to understand where they are exposed and how attackers might
target them. Here’s how you can protect yourself.

1. Monitor Social Media: Many scams start on social media. Search for your brand’s name or original
products, and you’ll be surprised to see who offers those products on your behalf. Make sure you have a
process in place to monitor social media sites for fake accounts, unauthorized product advertisements and
phishing scams.

2. Publicize Your Contact Channels: A large portion of social engineering and phishing attacks rely on the
victim’s unfamiliarity. Regularly updating customers on the appropriate channels to contact and engage
with your company, like web channels, social media and customer support lines, can reduce the risk of
fake account directing them elsewhere. Moreover, it’ll will help you inventory your different communication
channels, as some big retailers are unaware of or have neglected their own channels, which can be hacked
and used against them

3. Monitor the Dark Web for New Hacker Tools: Knowing which tools are sold and used to target you can
help you put the appropriate security measures in place to mitigate and stop the attacks before any fraud
is committed. For example, identifying a gift card generator for your company allows you to change your
algorithm or renew your codes to stop future fraudulent purchases. But these generators often only appear
on the dark web, so you can’t spot them if you’re not monitoring dark web forums and black markets.

4. Watch Your Retail Website Carefully: Monitor your website(s) constantly for any changes, especially
to pages that require any credit or personal details. Tightly control the credentials to edit your sites, and
carefully manage the list of personnel authorized to make changes to the site.

5. Control and Limit Access to Databases: Customer data is used by many different departments, and it’s
important that they have access to this data to perform their functions efficiently. But increased access
means increased risk. Make sure to secure and control access to company databases using multi-factor
authentication or other advanced solutions. Limit access to databases to relevant people only, and block
or tightly control access to online databases with sensitive material. Lastly, ensure that web-based internal
pages are configured and secured properly so they don’t expose confidential information. Too often data is
leaked simply due to user error in the configuration process.

19 Retail && eCommerce

Retail eCommerceThreat
Threat Landscape
Landscape Report
Report || October
October 2018
2018

T hreat Int ell i

 T h re a t I n t e l l i g e n c e R e a l i z e d .

Buying Process Detection

In addition to proactive monitoring and risk management, there are best practices to implement in the buying
process that minimize fraud. We all know that physical merchants put locks on their doors and employ security
staff, so you’d think eCommerce merchants should do the same in the virtual space. But – despite all the
scary news we’ve been telling you - it’s too often counter-productive. A smart solution blocks the vast majority
of fraud attempts but doesn’t do so at the expense of legitimate customers. Instead of focusing purely on
reducing your fraud rate, here are 5 things you can do to safely increase your revenue and approve more orders
quickly and safely.

1. Remove Static or Rules-based Filters and Blacklists: Too many merchants completely block
certain order segments or geographies, unnecessarily reducing revenue without providing much
security. Additionally, payment gateways often activate fraud filters that prevent merchants from
even seeing certain orders. Merchants should eliminate these practices on their end and confirm
with their payment gateway that these filters are not active.

2. Don’t Rely Solely on Matches When Evaluating Orders: There are many reasons that a good
order would have an AVS mismatch, billing/shipping address mismatch or other data mismatch due
to international orders. Using mismatches alone in making decisions will lead to lost revenue.

3. Be Careful of Adding Friction: Some industries and some situations may require a low-friction
means of verification, such as an SMS confirmation if you’re concerned about an account-takeover
attack. But adding too much friction is a problem. Customers abandon carts if the order process
gets too cumbersome, so view additional friction as one of your last lines of defense.

4. Look for a Fraud Solution that Scales with You: Many merchants rely on manual review, which
can mean seasonal hiring and slow expansion. Being able to sell whenever and wherever is key to
growth, so select a fraud solution that can grow with you based on seasonality, fads and consumer
buying cycles.

5. Adjust Your Fraud Approach to Fit how Your Customers Shop: If you sell to a younger audience,
then you probably have a lot of mobile orders. Make sure you’re developing your fraud-detection
process with that in mind. If you’re in a very competitive industry, then recognize that you should
work with customer experience in mind. Learn your customers and make your fraud prevention fit
them rather than vice versa.

20 Retail & eCommerce Threat Landscape Report | October 2018

T hreat Int ell i

 T
Thh re
re a
a tt II n
n tt e
e ll ll ii g
geen
ncce
e R
Reea
a ll ii zz e
edd ..

Contributions

We would like to acknowledge the following contributors to this report.

writing and helpful tips and pointers.

Ariel Ainhoren Nathan Teplow

Cyber Threat Intelligence Researcher, IntSights Sr. Product Marketing Manager, IntSights
(Lead Researcher: Retail Threat Landscape Report)
Stephen Fidgeon
Orin Mor Director of Communications, Riskified
Cyber Threat Intelligence Research, IntSights
Emilie Grunzweig
Itay Kozuch Senior Fraud Analyst, Riskified
Director, Threat Research, IntSights

About Riskified
Riskified improves global eCommerce for merchants and consumers. The world’s largest brands - from airlines to luxury fashion
houses to gift card marketplaces - trust us to increase revenue, manage risk and improve their customer interactions. Inefficient
eCommerce fraud prevention and unnecessarily declined orders cost businesses billions in chargebacks, overhead and missed
sales. Riskified uses powerful machine-learning algorithms to recognize good orders and weed out bad with a 100% guarantee
against fraudulent chargebacks. Sell with confidence. Trust Riskified.

About IntSights
IntSights is redefining cyber security with the industry’s first and only enterprise threat management platform that
transforms tailored threat intelligence into automated security operations. Our ground-breaking data-mining algorithms
and unique machine learning capabilities continuously monitor an enterprise’s external digital profile across the
surface, deep and dark web, categorize and analyze tens of thousands of threats, and automate the risk remediation
lifecycle — streamlining workflows, maximizing resources and securing business operations. This has made IntSights’
one of the fastest growing cyber security companies in the world. IntSights has offices in Tel Aviv, Amsterdam, New York
and Dallas and is backed by Glilot Capital Partners, Blumberg Capital, Blackstone, Tola Capital and Wipro Ventures.

To learn more, visit www.intsights.com.

21 Retail & eCommerce Threat Landscape Report | October 2018

T hreat Int ell i

T h re a t I n t e l l i g e n c e R e a l i z e d .

Threat Intelligence Realized.