Wed, Jul 15, 2020

COVID-19 and the Surge in Retail Cyber Threats

Kroll’s incident response team has seen a considerable rise in the number and variety of successful cyberattacks against retailers. The shutdown of brick-and-mortar stores due to the COVID-19 pandemic led to an increase of over 140%* in e-commerce orders, pressuring security teams responsible for retail operations worldwide to be extra vigilant. This cyber security challenge is compounded by the vast increase in the attack surface now exploited by cybercriminals, thanks to retailers operating with primarily remote workforces that still need access to sensitive payment processing systems. How can security teams better prepare against this surge of attacks? 

Andrew Valentine, Managing Director and lead PCI Forensic Investigator (PFI) at Kroll, along with Christopher Ballod, Partner and Vice Chair of Lewis Brisbois’ Data Privacy & Cybersecurity Practice, led a webinar anchored in real-world cases investigated by Andrew’s team over the past few weeks. He covered new gift card scams that have caused hundreds of thousands of dollars in losses, new ways hackers are injecting credit card skimmers on checkout forms, and more. 

Watch the Webinar Replay

COVID-19 and the Surge in Retail Cyber Threats

This webinar covers:

  • Breakdown of the most successful cyberattacks against retailers
  • Gift card scam case study, and how to detect such attacks earlier
  • The latest methods criminals are using to inject credit card skimmers into checkout forms
  • Ways to enhance the security of remote workforces, even when they’re relying on personal devices

Download Webinar Slides

Notable Passages From the Presentation

Payment Card Industry Data Security Standards Compliance Chain 

Somebody applies for a payment card of some kind and then uses it to make a purchase of some kind. The merchant then is the one interfacing with the customer. This is important to know, under state laws under federal law, and the international law as well such as GDPR, PIPEDA, the data controller is the one who interfaces with the data subject. And the data controller is the one who has obligations to the data subject, the customer would be the data subject. So, the merchant is always right there on the front lines if something does happen. It will be ultimately the merchant's responsibility to provide notification to the customer. – Christopher Ballod

So, if you're in the retail sector as a merchant, the merchant's where the buck will stop. In most of these situations there are risks associated with that, both for non-compliance and in the incident circumstance. The processor is the one who the card brands will interface with directly and the processor is the one who the merchant will be interfacing with directly. It's important to note that looking at your merchant processor agreements, you'll see that the risk is passed through unless great pains have been taken to negotiate those agreements, and I found that there is very little willingness to negotiate those agreements with merchants. Those are the most important pieces of the chain here. As a merchant in the retail sector, you most need to be familiar with the fact that you're answering ultimately to the card brands, but the merchant processor will be your point of contact. – Christopher Ballod

On Integrators 

So integrators, think of this as those who enable some of the PCI transactions through hardware or software environments. Policy Touch is in the restaurant or hospitality industry is an integrator, Sabre is an integrator, sometimes a service provider as well. But I want to flag integrators in particular, if you have an agreement or if you have a relationship with an integrator, the integrator can touch many, many, many merchants. But is not itself subject to PCI DSS. So as a merchant, it would be very important to understand exactly what the role of the integrator is, and to make sure that legal protections are also in place in the event that there is a compromise on the integrator side of things. As a quick point here, this can affect thousands of merchants potentially.  – Christopher Ballod

So if you think in terms of cyber risk insurance and the ability to cover costs associated with an incident, if there's only a million dollars that is carried by the integrator, that's gone within a few merchants. And if you've got thousands, that will leave the merchants out in the breeze. So a big risk point, and that attack surface really has increased with COVID-19. We found that more in the retail sector are turning to integrators and their counterparts which are service providers. – Christopher Ballod

On Consequences of a Breach 

The notification obligation can cost 100,000, 250,000, sometimes even more dollars to accomplish. That can be required to put it in the media outlets if substitute notice is required or you're sending letters to all of your customers saying, "A bad thing happens, you may want to be careful... Effectively, you may want to be careful shopping with us again in the future." Which is not a message you want out there and that causes brand damage, harm to reputation. – Christopher Ballod

Reserve accounts are something that tend to catch my clients off guard, merchants off guard, they are always in the merchant processor agreements. I have not been successful in negotiating the amount even with the most cooperative merchant processors. They are a risk control measure. And what they do is they allow the merchant processor to say, "Well, I think that the likely assessment coming from the card brand is going to be $4 million," let's say if there's tens of thousands of cards that are compromised. So I'm going to take a certain percentage of every single transaction and skim off the top, that percentage and put it into a reserve account to fund any potential assessment. – Christopher Ballod

On the Beginning of PCI Case Study

A way that a lot of these cases starts is that as an investigator, or first as a merchant, a merchant will be issued essentially a CPP report or a common point of purchase analysis report that essentially shows transactions occurring at that merchant sometime later get used for fraud and based on analysis done by issuers they will identify specific merchant is probably having had a problem. And so unfortunately, there's no uniform way that CPP reports look, some of them are very granular in their dataset. – Andrew Valentine

Transactions starting in mid-March were subsequently being used for fraud. And so what the data set we got from the processor here basically showed the date of the legitimate transaction, the location, the card number, and then the amount that was used for the initial transaction, what it didn't give us is where the fraud transaction took place or how much that was worth. But that being said, their fraud started, basically, for transactions that took place, right when COVID hit. And we think about the timing of that it sort of makes sense. Because most other retail or hospitality locations were closing, it would have been pointless to go after a restaurant for example in the middle of March but what entities were still taking transactions at that time. Gas stations. Obviously they remained open as an essential business. – Andrew Valentine

On the Analyzing Logs

We used endpoint monitoring to pull event logs from each of the fuel controllers across the gas station environment just so we could see if anything sneaky going on within system event logs… what we saw was on March 15, there is a an encoded PowerShell that gets executed against the fuel controller. Right off the bat we're not sure what this is. But typically encoded PowerShell is not something that's legit. And it's happening right around the start of the fraud. – Andrew Valentine

We're able to use that binary itself to pull decryption keys and it was full of magnetics strip tracking data. What we know at this point is that at least at the fuel controller that we're looking at for this example, was that starting on the 15th, there were cardholder data being pulled out of memory dropped into an output file ostensibly for exfiltration. What I'll say is that that finding was replicated across other fuel controller. So this was across the board. And the timing is what makes this interesting. The question became, how was it that this was introduced? And how did bad guys get access to this environment to even do this? – Andrew Valentine

On the 13th, which would have been the date after most of the country shut down, an HR personnel at this company receives a phishing email... It's very specific in that the HR personnel that received this email was the military recruiter, so his particular job was to get veteran recruitment for employment through this gas station chain. Receives a phishing email that looks very, very specific and frankly good in terms of quality of phish email directly to him that once he clicks on that email, that end user workstation has been backdoored. They actually navigate from that user's end user workstation to the coffee shop, like the in-house gas station, coffee shop controller. And from just that one coffee shop, we're able to jump into the fuel controllers across the environment and then deploy that embedded PowerShell or that encoded PowerShell that we discussed. Again, what makes this interesting is a couple things. One, it's a phish email and by all accounts, it's a darn good one. So this initial entry was not some esoteric system vulnerability or unpatched box, it was just a guy that clicked an email. But that secondly, this email comes out right after the country essentially shuts down. Which to me speaks to threat actor pivoting. They realize that typical retail can't be a target from March 12th, 13th, 14th or onward, you just immediately hit it to those merchants that are going to stay open like gas stations. – Andrew Valentine

On After the Breach

Some of these services are monetized by virtue of selling the access after the initial attack. So we've seen, recently, indications that a PCI gang, a gang that specifically targets the retail environment, and stealing PCI data, has gotten involved with the MAZE ransomware as a service group, where we've seen ransomware attacks that shut down a company. You can't decrypt your systems and you have no operations. So you have to pay the ransom in order to get a decryption key to be able to even do email again. We've seen signs that the Carbanak Group in particular, the PCI attack group was involved in the access. So whether they sold access, whether the ransomware actor may have sold access to them isn't clear from what we have in that forensic investigation. But the fact is, these groups are working together to take advantage of the, I'd say more trusting, COVID environment where people are expecting to get emails more frequently, and are expecting emails to be more legitimate for work for many reasons. – Christopher Ballod

You might have just had a PCI breach, you might have just told the card brands, by virtue of the initial investigation, that you've deployed an endpoint tool, that your investigation is underway. And so you've got their attention. They're paying attention to what you're doing. And now you're encrypted with ransomware. That is not going to look good for the PCI DSS penalties and assessments that are coming on. – Christopher Ballod

On Gift Card Scams

We controlled only for those transactions which were for electronic gift cards and which were made using private label cards. And what that demonstrated was wholly unnatural. Like you should see some increase in transactions only because of the move to e-commerce but instead there was in some days with 10, 20 or 30 fold increase in purchases of electronic gift cards. These are typically $100, $200 apiece. And all in all, over the course of the post-COVID jump in electronic gift card purchases, about $1.5 million of those were purchased. – Andrew Valentine

Although there were hundreds upon hundreds of hundreds transactions that were all actually being sent only to a handful of email addresses, which was very suspicious, and that they're all being purchased with these private label cards. Which would tend to indicate that there are a lot of these private label cards being compromised. Somehow these bad guys got a hold of a great deal of private label cards in order to even conduct these transactions. And we were trying to figure out how this even occurred, like how was it that the bad guys got their hands on private label cards to even make these transactions. And so we needed to understand if there was a compromised data set. Was there a database somewhere that was full of private label account information to include PAN, expiry and security code, to conduct a transaction was. Were they cards that were compromised somewhere else? We just need to understand where threat actors got the cards to even conduct these transactions. – Andrew Valentine

What we came to discover was there really wasn't a compromised data set in this case at all. In walking through the authorization process with the issuer that issued the private label cards, we wanted to understand how actually these cards were able to be authorized to begin with. We came to learn that the issuer that this merchant was using to issue the private label card with authorized transactions on PAN only. Meaning that if you had the 16 digit string that constitute the primary account number, you can use that information for a transaction, the issuing bank wouldn't actually check for a correct expiration date for a printed security code, as long as the correct account number was issued, that was enough for them to conduct the transaction. So with a bin range, which is public knowledge, you can just use, and there's a million of them out there, just an account number generator to actually generate card numbers. And in doing that, you'll find that there's a lot of transactions... Or a lot of account numbers that are not real. But a lot of them are going to be. – Andrew Valentine

The very next step became a legal step where the merchant really went back to their contractual paperwork with the issuer to understand what security controls they expect to be issued actually doing around these transactions. And probably doesn't surprise you to hear that nobody at the merchant, off the top of their head, actually knew what those obligations were. Nobody was overly familiar with contract paperwork with the merchant. And I think ultimately, there was nothing explicit in that contract language that authorizations would require an expiration date or security code. And I think that the sense was that it was just sort of understood that in 2020, when you're doing a credit card transaction, you essentially need all those authentication data to get a transaction to go through. They just sort of expected that they're sure we'll do those things, even if it wasn't explicit in the contract paperwork. – Andrew Valentine

On Threat Actors Exploiting Work From Home 

Most (companies) in the world have sent employees home, which has allowed for wide doors to be opened by way of data breaches. So this has to do with a brick and mortar again, and e-commerce steak retailer. They dealt in high end steaks, meats, barbecue. They closed all retail, again on March 16, actually, just like the last one. And again send corporate employees home. They saw a dramatic uptick in e-commerce sales. And I think for them, it wasn't just that that retail shut down. But if folks recall there was actually like meat shortages going on in March. So they saw their sales go through the roof, starting March 16 and onward. And because of that, if they didn't necessarily in the beginning want to entertain the idea that something might have been wrong, just because business was so good. – Andrew Valentine

We got brought in to determine whether or not there was an issue at the site. And typically with these cases, the way we start out is just, we'll go to the side ourselves, take a dummy credit card and just run a test transaction and just follow where data goes. And we clicked submit on the order form, and what happens to it. So ostensibly, we'd like to see car data go off to a merchant acquirer for authorization, but what we saw here was essentially an encoded script being executed at the time that the customer clicks submit. The script at the bottom there, it was The script is actually gmt.js. We could actually pull the script down. That's not as important as the time that the script was inserted. So because we knew where the script lived, we could go to into the server and find exactly what it was dropped on the server. – Andrew Valentine

When they start interacting with the admin dashboard, they could have inserted the code earlier. But what they did is actually dropped a web shell, such that they could get access to the admin side of the site without having to go through one of the white listed IP addresses, which is when they come back 40 minutes later, and then insert the actual script. And that's interesting because although they realized that because there's a loosening of security and scrutiny around the white list, they still dropped a different tool to be able to access the site with some measure of persistence. – Andrew Valentine

On Technology for Protecting Your Organization Against an Attack 

Having multi-factor authentication in place, beyond just being a PCI requirement, would have prevented most of the breaches I get involved in. There are no security silver bullets, I think that MFA comes close. – Andrew Valentine

Any time I do an e-commerce merchant case, I end up recommending that they move to a hosted iframe. In the PCI parlance, it's called the SAQ-A solution. It's essentially where on the payment page, all of the form fields involved with the actual transaction, so name, address, primary account number, expiration date and security code, those particular form fields aren't actually hosted anywhere on the merchant site, but sit within a hosted iframe that's actually hosted by the merchant acquirer. This solution basically reduces your risk profile greatly. Because card data never actually transferred through client or merchant owned servers. The actual form fields are hosted someplace else. – Andrew Valentine

You'll see a lot of recommendations out there that say "be PCI compliant." I recognize it for level four and even level three merchants, truly being PCI compliant is not something that's realistic, but there certainly are parts of PCI that are valid and should be rolled out by any merchant. Things like multi-factor authentication being rolled out everywhere, log retention, actually have logs for a year. There certainly are things that merchants of any level can do. And even if being fully PCI compliant isn't realistic I think merchants should maximize either PCI complaints profile where possible.
 – Andrew Valentine

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Vulnerability Assessment

Proactively identify vulnerable systems and devices that may be exploited by an attacker or malicious software, often resulting in data loss or breach.

Cyber Risk Assessments

Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.

Malware and Advanced Persistent Threat Detection

Our expertise allows us to identify and analyze the scope and intent of advanced persistent threats to launch a targeted and effective response.