5 cyber threats retailers are facing — and how they’re fighting back

There are many reasons retailers are juicy targets for hackers. They earn and handle tremendous amounts of money, store millions of customer credit card numbers, and have frontline staff who may lack cybersecurity training. To save money, some retailers use older equipment that isn’t adequately updated, secured, or monitored to deal with cyberattacks. According to a 2022 data breach report from Verizon, the retail industry reported 629 incidents in 2022, 241 of which had “confirmed data disclosure.”

The consequences of attacks are wide-ranging, from loss of consumer confidence to loss of data to financial loss. Here are five cyber threats retailers are facing today and what the cannier companies are doing to defend against them.

Ransomware tops the list                        

According to the data security firm BlackFog, Ikea, McDonald’s, and Canadian grocery chain Sobey’s were among retail’s many ransomware victims in 2022. This comes as no surprise to Christian Beckner, vice president for retail technology and cybersecurity with the US National Retail Federation. “Ransomware affects everybody right now and is clearly a major ongoing risk to retailers,” he tells CSO.

Two out of three companies in the sector reported being attacked by ransomware in 2022, according to cybersecurity firm Sophos. Attackers were able to successfully encrypt files in more than half of the attacks. Of 422 retail IT professionals surveyed, 77% said their organizations were hit by ransomware attacks in 2021, a 75% rise from 2020.

The financial losses and disruptions caused by these attacks can be substantial. “Ransomware attacks pose serious cybersecurity risks for retailers,” says Fabio Assolini, head of Kaspersky’s Global Research and Analysis Team. In some cases, companies have to shut down operations or even points of sale (PoS) after being attacked to let the IT team investigate the incidents. “Moreover, ransomware attacks pose significant reputational risks, as far as the outcome might involve data leakages. Companies from the retail sector process credit card data, which is at risk of being exposed as a result of a ransomware attack.”

E-commerce threats from bots to impersonators

Retailers are vulnerable to a range of direct e-commerce cyber threats far beyond ransomware. They include hackers altering gift cards and/or the systems used to activate and manage them, swapping barcodes on products to deceive self-checkout systems, defrauding return services via online return forms to obtain refunds for ordered items, hijacking customer accounts to steal their personal information, and stealing credit card numbers through digital skimming.

Bot attacks on e-commerce sites are another threat that can’t be ignored. These automated scripts can use a browser to emulate human behavior, including mouse movements and clicks, making them difficult to detect. Advanced bots can hide their real location by routing traffic through anonymous proxies, anonymization networks, or through public cloud services. Bots can facilitate account takeover, through which hackers make fraudulent purchases using data from customer accounts such as gift cards, discount vouchers, and loyalty points, and even saved credit card information.

The bots can implement malware that steals credentials or takes over browsers and performs actions in a customer’s name or uses brute-force methods to guess passwords. Account takeover is responsible for almost one in four login attempts on e-commerce websites, whereas for other industries the average is one in 10. More than 90% of such attacks attempt to guess users’ passwords using credentials leaked from other data breaches, a technique known as credential stuffing.

That’s not all. Brand impersonation is a tactic used by threat actors to create fraudulent versions of legitimate brand websites, email addresses, or social media accounts to deceive consumers and steal sensitive information, such as login credentials, financial information, or personal data.  “Some common examples of brand impersonation include fake online stores that look like legitimate e-commerce websites, phishing scams that use the logo and branding of a well-known financial institution, and fake customer service phone numbers that appear to be associated with a reputable brand,” says Bryon Hundley, vice president of intelligence operations with the Retail and Hospitality Information Sharing and Analysis Center.

PoS malware gets smarter

PoS malware such as Prilex captures credit card data at the checkout counter on wired and wireless PoS terminals. “Active since 2014, it hails from Brazil and has a global reach these days,” Assolini says.

Unfortunately, Prilex keeps getting smarter and easier for hackers to deploy. “In 2022, it was reported to be sold as malware-as-a-service, and at the very beginning of 2023, Kaspersky uncovered three new variants of Prilex malware that can now block contactless near-field communication (NFC) transactions on infected devices,” says Assolini. “The transaction data generated during contactless payment is useless from a cybercriminal’s perspective, but it forces customers to pay with a physical card, which, in turn, enables cybercriminals to steal money.”

Cyber threats lurk inside retail organizations

Customer-facing retail jobs are some of the highest-stress, lowest-paid positions in the business world. Even the best of these employees can be ignorant of cybersecurity, and work for companies who put little effort into providing such training for them.

The result? “Insider threats are particularly high for retail,” says Chris Oakley, Nettitude’s vice president of technical services. “Typically, there is a high rotation of staff, including part-time workers and they’re not always thoroughly background checked. Additionally, compensation is often low, which increases the risk of retail organizations being targeted by financially motivated insiders. More mundane but no less disruptive are disgruntled insiders willing to cause damage to system availability using inside knowledge.”

Attacks on third-party sources in the supply chain

Retailers sell a wide range of goods they’ve purchased from third-party suppliers and their software supply chains tend to be just as complex and deep. Any cyber-attacks that happen to these suppliers can affect the retailers who rely on them as well. Unfortunately, “retail has one of the most complex supply chains, ranging from product to business services,” Oakley says. “The supply chain is an operational dependency which represents many points of ingress for an attacker.”

The most notable third-party breach in 2022 that also hurt retailers was the SolarWinds hack that affected thousands of users, says Beckner. “But there were many other third-party breaches where major retailers were customers of these software services and affected by them.”

Fighting Back

With so many cyber threats to deal with, smart retailers are focused on dealing with the worst and most dangerous first. “It’s all about risk mitigation, not risk elimination,” Beckner says. “In the case of ransomware, you back up all your critical data systems and customer information, so that you can move forward without having broader disruptions to your business operations.”

This being said, retailers such as Target — which suffered a major payment system data breach in 2013 — are moving beyond reactive defense in a bid to be tougher for hackers to crack. “Within the retail sector, as cybercriminals search for new revenue streams and the lines between the physical and digital shopping experience blur, it is important for companies to think differently about our defenses for areas such as fraud and organized retail crime,” says Target CISO Rich Agostino. “This is one of the reasons why we took the industry-leading step of combining our online fraud and cybersecurity teams under one organization. This allows us to take advantage of our advanced cyber capabilities like threat intelligence and custom engineering and apply them to fraud, further protecting our business and our guests.”

As someone at the heart of the retail industry’s cyber defense efforts, Hundley sees retailers fighting back against hackers in five key ways. “They are implementing strong security measures to protect their systems and customer data, and investing in cybersecurity awareness training for their employees,” he says. “They are also conducting regular security assessments to identify vulnerabilities and make improvements to their cybersecurity posture, using advanced threat intelligence to proactively detect and respond to cyber threats, and sharing cyber threat intelligence with the Retail & Hospitality ISAC to gain greater insight into threat trends.”

As well, “we’re seeing retailers, especially large ones, place emphasis on a robust information security program which includes a strong foundation underpinned by a standard such as ISO 27001,” says Oakley. “Organizations are increasing their requirements to include continuous assurance coupled with robust detection and response capability, often via an outsourced model.”

One thing is certain: The battle between hackers to steal information and retailers determined to protect is a never-ending conflict. “Protecting against cyber threats is always an ongoing war of attrition; it’s never a one-time fix,” says Mike Kiser, SailPoint’s Director of Strategy and Standards. “This is why retail organizations are constantly learning new techniques to help mitigate known threats.”