November 27 marks Black Friday – the annual shopping event in which global retailers offer various deals and discounts on items in the build up to the Christmas period.
Of course, as is the norm during any popular event, fraudsters have traditionally gone into overdrive during the festive shopping period, tailoring scams and attacks to exploit the huge numbers of consumers flooding online to make the most of the sales to save a pretty penny.
However, what’s notably different about this year’s Black Friday shopping event is that we are in the midst of a global pandemic, with non-essential physical shops currently closed in many countries across the world as part of social distancing efforts to slow and stop the spread of COVID-19.
What that means is that more consumers than ever will be logging on to shop digitally as physical shopping remains significantly restricted, and where the masses lead, the frauds follow.
Speaking to Infosecurity, Jonathan Reiber, senior director of cybersecurity strategy and policy at AttackIQ and former chief strategy officer for cyber-policy in the office of the US secretary of defense during the Obama administration, discussed the specific fraud risks of this year’s festive shopping period and how organizations can prepare for and mitigate the threats.
What are the key fraud risks surrounding this year’s Black Friday event?
The Federal Trade Commission reports that social-media enabled fraud has increased by almost 100% over last year. Cyber-criminals see the opportunities that the COVID-19 pandemic presents, and they will try to compromise consumers’ identities and retrieve financial and personally identifiable information for their own gain.
How do fraud risks surrounding this year’s festive shopping period differ from previous years?
This holiday shopping season is going to be like no other. In-person shopping will decrease significantly to keep the virus from spreading, and most people will do their holiday shopping online. Fraud has already been on the increase over the last year due to the coronavirus, with the FBI reporting in August that incidents of online fraud have increased particularly for victims using websites advertising lower cost items for gym equipment, small appliances, tools and furniture – all items that could appeal to consumers this holiday season.
“Retailers and all organizations trusted with sensitive customer data should continuously assess their security control effectiveness”
What are the best practices for protecting organizations and their users from Black Friday-related threats?
Attackers will try to target big corporations, like Amazon, Home Depot or Walmart, as most consumers will purchase from large organizations. However, local ‘mom and pop’ shops may be more susceptible to fraud, perhaps having shifted to online operations this year. They may not have invested significantly in security and as a result, and may not be prepared for the increased scale of operations and exposure that the holiday season will bring.
Large organizations like Amazon and others will need to ensure that their cybersecurity is working effectively, including by deploying automated testing that can validate security control effectiveness safely, at scale and in production. Local mom and pop companies should anticipate that consumers will want to support their local businesses during this difficult holiday season and take steps now to invest in cybersecurity for online transitions if they have not done so already.
It will help to prepare for specific, known threats. Among threat actors, FIN6 is a financially-motivated cybercrime group that has compromised point-of-sale systems in the hospitality and retail sectors since at least 2015. More recently, the group has evolved its methods to target US and international organizations with LockerGoga and Ryuk ransomware variants. Ahead of this holiday shopping season, retail companies should exercise their defenses against groups like FIN6 and other financially-motivated groups.
There are resources to help. MITRE Engenuity’s Center for Threat-Informed Defense offers a public, free-to-use library of emulation plans for security teams to improve their cyber-defenses against known attackers, including specifically for FIN6. Retailers and all organizations trusted with sensitive customer data should continuously assess their security control effectiveness to make sure that they are configured correctly and operating effectively. They can start by preparing for common adversary tactics, techniques and procedures as outlined by the MITRE ATT&CK framework. With ATT&CK as a foundation, organizations can then use automated breach and attack simulation platforms to verify their defense effectiveness.