Cyber Threats at Retail Endpoints Giving Way to Data Theft

Major prevalent threats

• Unsecured POS systems: It is the most common threat faced by local retailers. Most of these devices run on some variant of Windows and Unix with a basic operational interface. A PoS malware specifically exploits the RAM in a flawed system to steal unencrypted information.
• Banking trojans: Many cybercriminal groups rely on banking trojans to steal credit/debit card information or internet banking credentials to steal funds from victims’ accounts. Some of the prominent banking trojans operating globally include Emotet, Redline, Ramnit, Lampion, Sharkbot, Escobar, and Xenomorph among others.
• Ransomware threats: In the last few years, an increasing number of retail stores have adopted digital platforms to store their customer data, and manage their finances, payroll, and other business activities. This has attracted the attention of ransomware groups looking to steal sensitive data and extort their victims to extract large amounts of ransom.
• Third-party risks: Retailers work with a variety of vendors, distributors, and other business partners to source merchandise, acquire technological solutions, and expedite other operations. This vast ecosystem in the retail sector poses cybersecurity risks for all stakeholders involved as a security breach at one link in the supply chain can have a major impact downstream or upstream.
• Poor cyber hygiene of end-users: Customers have historically displayed little awareness about the security of their own data. They often fall prey to convincing phishing techniques and their personal devices get compromised. An attacker can easily benefit from such user behavior.

Modus Operandi

• RedLine stealer is capable of stealing passwords, browser cookies, and credit card and cryptocurrency wallet data. 
• It harvests a wide range of information from compromised machines, such as OS information, system hardware, system language, processes, and more.
• The malware is known for stealing financial and telecom-related sensitive information.

Recent attacks on retail endpoints

• Recently, details of a few login credentials pertaining to multiple corporations were made available on the dark web through data acquired from multiple non-corporate endpoint assets infected with Infostealer. Such endpoint assets are usually at high cyber risk due to the lack of cyber hygiene practices of the users who tend to store sensitive login details which are easily picked up by info stealer malware upon infection.
• The New Zealand-based gardening retail chain Kings Plant Barn suffered a data breach after its online system for managing click-and-collect bookings was targeted in a cyberattack.

How to stay safe

• Network defense solutions play a critical role as they can detect unusual network behavior by malware actors.
• Implement data backups for faster recovery after an incident.
• Real-time identity theft monitoring is highly recommended.
• Encourage end users to track and report any suspicious activity in their accounts.
• Use multi-factor authentication on all crucial applications and systems.
• Address third-party risks by timely verifying the security posture of affiliates. 
• Invest in cybersecurity awareness training for employees to promote best practices.
• Perform periodic cybersecurity risk assessments to evaluate potential gaps in cyber defenses.