As the shopping season begins, cyber savvy retailers in the Gulf stand to reap the benefits of substantial growth in the e-commerce sector.
However, while e-commerce enjoys rapid growth, global attack trends indicate that the retail support sector continues to be a popular target for cybercriminals. For example, the cybercriminal operation “MageCart” targets online retailers by creating websites that mimic their victims’ websites and inserts malicious code to capture card data.
Physical point-of-sale (POS) terminals are another weak spot for retailers. Transnational groups such as FIN6 target companies providing POS services to retailers and have shown skill compromising networks to access payment card data stored on POS terminals.
Jay Townsend, Principal at Booz Allen Hamilton, said, “While e-commerce is enjoying rapid growth in the Gulf, it has been popular far longer elsewhere in the world and cybercriminals have gained decades of experience honing their craft targeting consumers and companies online. Gulf-based retailers and their infrastructure are increasingly being target ed with advanced malware variants to intercept payment card data and communications. This signals the need for greater cybersecurity vigilance among both retailers and customers.”
Cybercriminals are also targeting computers throughout the Middle East to mine cryptocurrencies. According to Symantec, the skyrocketing and volatile prices for cryptocurrencies in the last quarter of 2017 spurred a significant increase in infection rates. So-called “cryptojackers” compromise websites of popular brands and upload malicious script to infect web browsers of unsuspecting visitors. Once a customer visits an infected website using insecure means, the malicious script begins siphoning computing power to mine cryptocurrency.
Ziad Nasrallah, Principal at Booz Allen Hamilton, added, “In the UAE specifically, the rise in e-commerce is heavily driven by mobile-first habits and one of the world’s highest smartphone penetration rates. Given increases in mobile shopping throughout UAE and wider Gulf region, cybercriminal networks will continue to increase their operations given the target-rich environment. It is imperative for retailers and consumers to protect themselves from attacks that could cause tremendous financial or reputational damage.”
With these realities in mind, retailers and consumers in the Gulf need to anticipate cyber threats and plan accordingly to ensure safe and secure holiday shopping. Booz Allen Hamilton outlines a few top tips for retailers and customers to protect themselves against cyber threats during the upcoming peak festive season.
Tips for retailers:
- Remember, cybercriminals prefer easy targets
Poorly maintained websites and unsecured e-commerce platforms are attractive to cybercriminals. These criminals are not simply after financial data; customer information such as purchasing habits or personally identifiable information is often more valuable. Like payment card numbers, this data can be sold on Dark Web forums and lead to identity theft or exploitation. Similarly, if a security-hardened retailer works with a third-party supplier with weak security hygiene, attackers will target that supplier to access the retailer. Since the supplier enjoys trusted access to the retailer, attackers will exploit that trust – leaving even cyber-secure retailers vulnerable.
- Do not wait until it’s too late
Retain the services of a managed security services provider (MSSP) in advance. It is easier to anticipate and prevent a cyber incident than clean one up. MSSPs provide a range of security services to keep businesses online including denial-of-service protection, reputation monitoring, threat forecasting, and incident response.
- Develop and rehearse response plans
Even with preparation and a business continuity plans, cyber incidents are only a matter of time. Developing a response plan is only part of the battle. Plans and staff must be tested through exercises and simulated crises so company employees, from cashiers to C-suite executives, know exactly how to respond when an incident occurs.
- Update often
Outdated software poses a threat to the security of payment systems and customer data so retailers must establish software management regimes to regularly apply security patches. Technology vendors publish updates that address flaws and vulnerabilities on an ongoing basis. The single greatest thing a retailer can do, aside from purchasing the right technology, is properly caring for it.
- Monitor social media and online discussions
Competitors or insiders can disrupt a brand’s online presence. Online presence is a primary driver of revenue, brand recognition, and traffic for both online and physical stores. This includes not only official websites but also social media and related forums. Retailers should monitor online discussions about their brands as it is easy for malicious actors to execute negative online campaigns that quickly go viral. Additionally, rogue employees can hijack social media accounts and publish offensive or false information, causing reputational damage. An insider or motivated social media manipulator can inflict damage on par with or exceeding a malware-based attack.
Tips for consumers:
- If it seems too good to be true, it usually is
If you are a customer, remember that cybercriminals are aware of holiday shopping habits and employ different tactics to successfully target unsuspecting customers. The most common threat targeting consumers is phishing via email or text message to advertise seemingly good deals that are scams tricking people into revealing financial data or allowing malware onto their devices.
- Trust your intuition
As a consumer, the anticipation of receiving online purchases can often create a false sense of security so cybercriminals often exploit fake shipping invoices, customer surveys, or other communications to target the public. Be wary of unexpected emails and never divulge personal information. A common tactic cybercriminals use is to call individuals and ask them for personal information as verification to confirm a nonexistent order.
- Look for the lock icon
When online shopping, look for the padlock icon in the address bar that indicates data sent to the website, including payment card information, is protected to minimize data exposure to potential eavesdroppers.
- Be skeptical of online reviews
Astroturfing is a tactic used by both legitimate and unscrupulous sellers to minimize negative product reviews by hiring teams to generate fake positive reviews. Signs of astroturfing often include numerous vague, short reviews posted in short succession. On established e-commerce sites selling thousands of products, astroturfing can disguise inferior, fake or even dangerous products.