With criminals cleverly exploiting secret back channels and social media networks to steal and sell personal data and exploit online stores, retailers face a greater risk than ever from fraud. But a new technology and analytics-driven field called threat intelligence and digital risk protection is seriously challenging global fraudsters and cutting off threats before they become real. Technology company Cyberint is a leader in the field.
While platforms like antivirus software and security work to guard against malware and dangerous files, Cyberint actively looks for threats against organisations from the outside under a solution it brands Argos Edge™. Using highly-trained analysts and industry experts, Cyberint monitors thousands of channels on the dark web, along with secure Telegram group channels and more-public forums like social media and Reddit. That way, they can access real-time information about potential threats and hacks, collecting information that allows them to warn clients and thus head off attacks.
“We scan places where web developers publish code, such as forums and online marketplaces on the darknet where people converse about all types of threats that they are designing or where they are selling stolen information,” explains Avital Leshem, Threat Intelligence Team Lead at Cyberint. “On a daily basis in those forums, we come across discussions over how to get away with ripping off retailers.”
Leshem says the most popular form of fraud against retailers that Cyberint detects involves the impersonation of customers using details stolen via phishing websites or by using malware infecting victims’ computers. Phishing is where consumers are directed to a website which is a fraudulent version of a genuine site, created to steal personally identifiable information such as ID, phone numbers, passwords, and addresses.
“In some cases, the phishing is really only the first part because then the data is being sold by the phishers and then used to access sites. We probably identify hundreds of phishing websites impersonating our customer companies on a daily basis – and that’s just across our clients. More widespread campaigns against some of the bigger names in retail, like Amazon, can run to 1000s every week.”
She says criminals create phishing kits, a set of automation tools that allow them to generate fake websites on a mass scale. “You don’t even have to be too technically savvy nowadays to launch phishing campaigns that are quite large. You basically just have to make sure that you distribute the malware on places like social media, and you are pretty much guaranteed to have at least several dozen victims.”
Once information is stolen, retailers are affected in three key ways.
● Financial: Once the purchase is completed, the transaction authorised and the product sent, the vendor loses the stock. They may also have to reimburse the victim, whose account was taken over for this fraudulent activity and likely chargeback claims to the credit card company.
● Brand damage: Even though it is not the retailer’s fault if a customer has their account taken over because their credentials were stolen, customers expect the retailer to have prevented the fraudulent activity. On the other hand, if a retailer blocks an account as a precaution noticing suspicious behaviour and turns out to be wrong, customer inconvenience can impact brand perception as well.
● Legal implications: Thirdly, if the customer’s account has been taken over, it could have legal implications for the retailer in an era of GDPR and other international regulations guarding consumer privacy. This can result in fines to the organisation or additional processes that the company would have to take to better protect that data.
Quite apart from financial threats, companies are also vulnerable to reputational damage from inaccurate or damaging social-media chatter or smear campaigns.
“We see a lot of those as well. Our platform collects masses of information from all over the internet, including social media. While we don’t consider this severe in terms of cybersecurity, of course, it has an impact,” says Leshem.
Another type of fraud is the abuse of discount codes. Most retailers have coupons that provide a legitimate way to incentivise shoppers, for limited-time events, new customers, rewards, or for staff privileges, for example. Opportunist fraudsters try to identify mechanisms where those coupons can be generated on mass, and then sell those coupons online.
One Cyberint customer uses a discount code giving company employees 40 per cent off their purchases. When a past employee anonymously published the code on a Reddit channel – and because the company didn’t have extra validation mechanisms one might have expected – within just four days thousands of people who saw the post bought goods online at huge discounts. Some of those purchases were cancelled, but a big proportion were not.
“Many people got an undeserved discount due to a vulnerability on the website and a technical flaw that allowed the code to be used by so many different people.”
Leshem says the volume of threats to retailers has increased during the Covid-19 pandemic. Cyberint’s customers have seen the incidents of phishing rise by tens of per cent during the past 18 months as fraudsters take advantage of booming online shopping.
“There are so many new potential consumer victims, who may have less awareness of what we call security hygiene and cyber-security awareness because they haven’t been online shopping before, so they are even more susceptible to having their data stolen than average shoppers.”
So what advice does Leshem have for retailers in this new era of vulnerability? “You have to assume a breach is imminent, and you have to be well prepared for it. I cannot stress this enough – the main threat to organisations is the human factor, both from your company’s employees and from outside.
“The customers are their own biggest threat – they are the ones who will fall prey to phishing scams. The employees are the ones who will – in most cases, accidentally – share sensitive information on different websites. The example with Reddit was clearly malicious intent, but in most cases where employees are responsible for company data disclosure, it’s being done unknowingly or by mistake.
“So, any company’s main concern should be educating its employees – and even customers – to be mindful of the websites they are dealing with, and about sharing any information on platforms that are not the company’s own, whose security level cannot be guaranteed.
This is crucial, says Leshem: “Teach employees and customers to be more aware and more responsible toward cybersecurity threats.”
To learn more about Cyberint and how the company can help protect your business from phishing and other fraudulent activity, visit Cyberint’s website