News of breaches at major retailers have littered the headlines for the last couple of years. Giants such as Target, TJX, eBay and Home Depot have all fallen foul to cyber criminals, making other retailers all too aware of the financial and reputational repercussions, in the aftermath. Stealing has always been a problem for retailers. However, before the days of the Internet, thieves, be they hijackers, burglars or shoplifters, were after physical goods. Today, retailers have more valuable assets: their customers and their customers’ credit card information to protect.
For hackers, credit card details are even more lucrative than money, because the data can be transmitted anonymously and electronically. Bear in mind that cyber-crime organisations are run in a similar way to legitimate businesses. Within the group, there will be people who write the malware, parties who run the show, and associates who act as money mules, who can act very quickly to steal cash from any compromised accounts even before the retailer has discovered the breach.
When you bear in mind that there could be millions and millions of accounts compromised, the amounts start to add up.
So, with cyber crooks always hot on their heels, retailers have been increasing spend on IT security in the last few years. There are a wide array of tools and solutions that they can adopt to help mitigate the threats, including firewalls, DLP, intrusion prevention and of course having a good response plan in place, should a breach occur. However, although planning is an essential part of any security posture, security has been, and remains a ‘catch-up’ game, with cyber criminals becoming increasingly complex, clever and sophisticated. The retail industry is desperately trying to keep up.
Over and above this, data privacy regulations, both new and evolving, are putting retailers under pressure to have solid security systems in place, as well as strong procedures in place to limit any potential fallout. Cyber regulations are only going to get tougher unfortunately and even the most sophisticated and expensive tools are not a silver bullet. Retailers also need to seriously consider having specific, cyber insurance in place that is over and above their regular cover.
Retailers have to deal with a specific set of challenges in terms of cyber threats. They generally don’t need to deal with massive distributed denial-of-service (DDoS) attacks, because cyber crooks need to keep transactions happening in order to cash in. Shutting them down means there is no data to steal, and no cash to be skimmed. However, instead, retailers have to deal with highly complex malware that steals login credentials, as well as malware that stealthily infiltrates their networks, and lingers around to pinpoint and record very specific transactions.
A couple of years ago, a point-of-sale (PoS) malware called AbaddonPOS was implicated in several large-scale breaches that affected retailers all over the USA. AbaddonPOS is delivered via an email campaign specifically tailored to retailers and which is highly specific, and targeted. The message entices the recipient into enabling content by clicking on an image, which then delivers a malicious macro called TinyLoader. Following this, command-and-control servers are contacted while TinyLoader takes a new version of the malware that is able to test white-list and black-list implementations and alter the way it skims credit card information to avoid detection.
What this highlights is that although the retail space was once considered too onerous a target to be practical for hackers, targeted malware and the slew of breaches over the last few years have altered the circumstances. Attacks on retailers are not only feasible now, they are extremely lucrative for cyber crooks, and PoS malware is evolving and increasing in frequency and complexity. The only way for retailers to help themselves is to have good security measures in place to deter criminals, and loss of funds insurance in place to help them deal with any fallout should a breach occur.