This holiday season, more consumers than ever will be shopping digitally - and cybercriminals are already capitalizing on the opportunity. Greg Foss, Senior Cybersecurity Strategist at VMware Carbon Black, looked through the dark web to find that:

  • There’s a continued rise in e-skimming attacks in the retail sector, where attackers inject JavaScript into website payment processing pages in order to siphon credit cards and account credentials from customers. 
    • Magecart is one of the most prominent groups behind this activity, consistently extending their capabilities and improving their tactics to infiltrate e-commerce applications, evade detections, and siphon off sensitive card data.
  • Swiped credit cards are going for an average rate of $10-20/card on the dark web
  • PayPal accounts are selling for $2-10/account, with those accounts loaded with more money costing more

The Cybersecurity and Infrastructure Security Agency (CISA), for instance, recently issued a warning shoppers to remain vigilant and be especially cautious of fraudulent sites spoofing reputable businesses, unsolicited emails purporting to be from charities, and unencrypted financial transactions. Foss explains that there’s no shortage of cyber threats facing retailers and shoppers this holiday season, as the volume and sophistication of cyberattacks surges with more consumers opting to shop online

"As a result, retail organizations have continued to see a rise in attack methods like e-skimming where attackers inject JavaScript into payment processing pages on retail sites in order to steal credit card information from unsuspecting customers. Most prominent among groups that deploy skimming malware is Magecart, a group of malicious actors who got their name from initially compromising the popular e-commerce, Magento CMS, at scale. This group has consistently extended its capabilities and improved its tactics to infiltrate e-commerce applications and avoid detection, most recently through impersonating legitimate payment applications by way of homoglyph attacks, ultimately fooling victims into visiting malicious websites," Foss says. 

He explains that beyond common attacks like injecting e-skimmers into websites, many attackers still target point of sale (POS) systems directly. In the past few months, VMware Carbon Black researchers have seen POS malware variants in use across a wide variety of retailers. These attacks rely on the actual physical swipes of cards, which then allow the malware to exfiltrate credit card data along with verification data such as a PIN numbers or zip codes.

Foss adds that the use of ransomware is also popular among retail-focused cybercriminals. "Ransomware attacks function by holding an organization's data, systems, and individual devices hostage, demanding that the brand payout the required ransom," he says. 

More recently, Foss notes, researchers seen these methods employed in the final stages of an attack as a means of covering the criminal's tracks and maximizing profitability, cashing in on a successful intrusion by attempting to secure the ransom payment after data has already been exfiltrated and put up for sale on the dark web. 

Foss warns, "With these threats significantly increasing during the holiday season, we must all remain vigilant and employ best practices to remain secure when shopping online. Users should ensure that all of their applications are up to date and running the latest versions and patches released by software vendors and application developers. Retail brands should implement advanced security measures like code-integrity checking for these types of applications to detect changes in the website’s static content and implement a web application firewall (WAF) as an additional layer of defense. When it comes to Point of Sale systems, retailers should baseline their environments so that deviations in activity such as a new server being communicated with will raise an alert for their security operations center (SOC). At a bare minimum, organizations should implement endpoint protection as a base layer of security to prevent commodity malware.”