November 21, 2016 • Tanya Widen
This analysis was produced jointly with Fujitsu UK, our MSSP partner.
Black Friday sales and deals now extend to Cyber Monday; as a result, attacks can be seen for the whole weekend or even the whole holiday season. Akamai reports the Black Friday to Cyber Monday weekend is becoming as popular and important for retailers and e-commerce sites in Europe as it is in the U.S.
Looking at Recorded Future’s history of reported incidents around the holiday period during 2015, it’s clear there is heightened attention around Black Friday campaigns (see below). Details of the common attack methods seen are described below.
Studies have shown that the prevalence of phishing links go up as much as 336% around Thanksgiving. Email, text messages, and social media messages all may contain scams to dupe customers.
Themes include payment-related fraudulent emails purporting to be from PayPal, delivery confirmation emails claiming a package is being delivered, coupons promoting products or retailers, and fake refunds. Phishing kits even have holiday packages to help fraudsters lure customers.
Malvertising attacks use online ads to distribute malware via reputable websites. Invincia reports Yahoo!, eBay UK, and Huffington Post visitors were all hit with malvertising prior to the 2015 holiday season.
Reports of pre-installed malware on tablets purchased from various retailers including Amazon were seen ahead of the Black Friday sales. It’s not the first case of this type of threat with Android, Lenovo, and other smartphones having been infected in the past.
Reports on point-of-sale malware, for stealing credit card details directly from retailers, were released ahead of the 2015 holidays. ModPOS and Pro PoS were two variants of the malware reported by security firms to be actively used and targeting retailers.
Symantec states the most common attack route against POS systems is through the corporate network. Once an attacker gains access to the corporate network — through a vulnerable public-facing server or spear-phishing email, for example — the attacker could traverse the network until they gain access to an entry point to the POS network. This entry point is often the same as a corporate administrator would utilize to maintain the POS systems.
POS malware is constantly evolving with each year bringing new names, types, and variants. An analysis of POS malware in 2014 by Recorded Future shows that the names have changed but the objective remains the same.
Service Disruption Attacks
According to Akamai, DDoS attacks are a consistent threat for retailers during the holidays, with average attack size growing by 2x. DDoS attacks can take down a retailer’s online site during the busiest shopping days of the year and often come with an extortion threat.
Additionally, according to independent security journalist Brian Krebs, fraudsters have developed new ransomware — dubbed “Linux.Encoder.1” — that targets websites to essentially hold its files, pages, and images for ransom.
Account takeover is big business for criminal actors, and they’re targeting more than bank information. Accounts such as mobile phone contracts, PayPal, and Uber can sell for much more than stolen credit card details on the underground market.
The ThreatMatrix Q4 2015 report states there was a large increase in account creation and account takeover fraud driven by the increased availability of stolen identities in the wild, harvested from massive breaches. The overall attacks increased by over 100% compared to the previous year. Additionally, it mentioned there was an 80% increase in attacks over Q4 2014; and 250% increase in attacks on retailers during the peak shopping days.
We envision more of the same types of attacks as threat actors advance their TTPs:
Threat intelligence plays a very helpful role in gaining insight into these threats at multiple levels. It provides insight into broader threat trends (as visualized in the timeline above), and it can provide operators with tactical content (see below), directly applicable for detecting and blocking threats before they impact the retailer or consumer.
Recorded Future Intel Cards analyze and summarize intelligence related to an indicator or malware. This intelligence, automatically generated and updated in real time, is immediately actionable for security operations.