TOOLS
Worms
Worms are back in 2017. A wormable exploit release into the network of a retailer could be massively problematic during non-peak season, but the impact during peak season could be catastrophic. However, the most popular worm exploit at present, ETERNALBLUE, has almost certainly been patched out of the networks of most sophisticated retailers. This protective measure means that a major worm-enabled attack during peak retail season will most likely require a zero day exploit (i.e., a compromise in production systems that are unknown to the vendor).
"Devil's Ivy" Vulnerability
Devil’s Ivy is a buffer overflow in the gSOAP protocol, is present in a wide-variety of IP-enabled cameras, and could represent a risk to retailers, depending on the setup of their networks.
POS Malware
Europay, Mastercard and VISA (EMV) to the rescue! EMV and point-to-point encryption are slowly ushering in a period when POS malware in its current form will no longer be sufficient to compromise and monetize payment card data, but the threat remains for now.
Through Cyber4Sight’s® own research and investigations into the breaches at Arby's, Chipotle, Whole Foods, and Sonic breaches, we have identified compromised payment card data for sale on Joker’s Stash - one of the most popular and frequently restocked underground marketplaces. In many cases, the timespan between POS compromise and data exfiltration may be weeks or months in length, suggesting that retailers anticipating potential attacks during peak retail season should expect initial stages of POS malware infections to occur in advance of the busy retail period.
Brute-Force Tools
Arguably the most common type of tool used to compromise accounts, Cyber4Sight® has identified several brute-force password crackers for sale on the cybercriminal underground throughout 2017. Many of these tools continued to be sold after the law enforcement takedowns mentioned above in July.
Account Checkers
Cybercriminals engaged in mass-compromise of accounts, such as those who sell accounts on the Slilpp marketplace, likely employ customized multi-site account checkers that are constantly updated to circumvent new defenses put in place by target organizations. Account checkers run leaked credentials against online customer accounts.
Web Injects
The elite Russian-language cybercrime forum Exploit has had, throughout much of 2017, a steadily increasing inventory of web injects that can be used for harvesting customer data, including account credentials, for various financial organizations and retail customer accounts. In addition to the web injects sold on Exploit, there is a closed web-inject store, "Inject Store" (injectstore[.]com) that sells injects for a variety of banking websites, some of which have been leveraged in Gozi banking trojan campaigns throughout 2017.
Mobile Malware
Multiple Android malware families are known to target mobile-commerce and e-commerce login credentials. For instance, in June 2017, Marcher targeted login credentials for the mobile applications of retailers including Amazon, Best Buy, and Walmart. The threat of mobile credential theft malware is largely confined to the customers of big-name, nation-wide retailers.
Receipt Generators
Receipt generators are online tools on which a user inputs associated information—type of item, price of item, tax, billing address, order number, etc.—and the tool outputs a receipt with the associated branding and formatting for the desired retailer. In addition to receipt generators, many individuals on large criminal marketplaces offer receipt-editing services. In these cases, the services are typically advertised for less than USD 20, and the service providers require the customer to provide basic order information to create the receipt.
