Holiday Season Cyber Threats (Part 2): Ransomware, Gift Cards, and Point-of-Sale breaches

This is the second installment of a two-part report on threats to the retail and hospitality sectors in the holiday season. The surge in online shopping and travel bookings during the holiday season offers rich pickings for cybercriminals. Black Friday, Cyber Monday, Christmas shopping, and increased travel throughout December offer ample opportunities for cybercriminals to profit from the high volume of transactions and the growing reliance on digital platforms in retail, travel and hospitality. Their objective is to compromise sensitive customer data, disrupt operations and erode trust, all with an eye toward monetization.

Online sales in the United States are projected to reach $240.8 billion USD in November 2024 and December 2024, marking an 8.4% increase from the previous year. In this blog post series (See Holiday Season Cyber Threats (Part 1): Phishing, Fake Shops and Bogus Bookings) we examine threats to retail and hospitality industries during the holiday season. Ransomware targeted these sectors more heavily in November and December in 2023, impacting their operations and digital systems in the most crucial quarter for revenues. Cybercriminals also ramp up gift card fraud and point-of-sale (PoS) system breaches during this season.

As the retail and hospitality industries continue to expand and embrace digitalization, they become increasingly attractive targets for cybercriminals, especially during the holiday season — a time marked by heightened consumer activity and substantial financial transactions. The surge in demand during these peak periods creates a fertile environment for cyber threats, which historically increase as organizations face greater operational pressures. Cybercriminals leverage sophisticated and strategic methods to maximize impact and financial gain, often disrupting business operations and compromising consumer safety. The timing and precision of these attacks typically align with moments when businesses are most reliant on their digital systems. 

Operational Threats

Ransomware attacks

As organizations face increased demand during the festive season, their systems may be overloaded and more susceptible to ransomware attacks. Businesses also potentially may be more willing to pay ransoms to minimize costly downtime. Cybercriminals take advantage of the heightened activity, diminished staff vigilance, and often stretched IT resources to launch attacks when businesses are most vulnerable.

Ransomware operators employ several techniques to gain initial access to target infrastructures, including:

• Vulnerability exploitation: Attackers target vulnerabilities in publicly accessible applications such as web servers, content management systems or e-commerce platforms.
• Targeting remote services: Attackers exploit weaknesses in external remote services such as remote desktop protocol (RDP) and virtual private networks (VPNs).
• Brute-force attacks: Attackers use a trial-and-error method to guess weak passwords or default credentials.
• Credential theft: Attackers acquire valid login credentials through phishing, credential stuffing or purchasing them from underground marketplaces or Telegram, facilitating access without immediate detection.
• Purchasing compromised accounts: Ransomware operators and their affiliates often buy compromised Citrix, RDP and VPN accounts.
• Phishing emails: Attackers send meticulously crafted emails disguised as legitimate communications that contain malicious attachments or links. Opening these emails can potentially lead to the installation of ransomware. 

In 2023, we detected 93 ransomware breaches impacting the retail and hospitality industries during November and December alone (see: Figure 1). This accounted for 24.5% of the total breaches for the year, marking it as the period with the highest frequency of attacks. Notably, 48.4% of these breaches were attributed to the activity of three ransomware groups — LockBit, Play and 8BASE. 

We have detected 282 ransomware breaches affecting the retail and hospitality industries since the start of 2024, representing a 13.5% decrease from the same period in 2023. The U.S. experienced the highest number of incidents, accounting for 46.1% of events, followed by Canada and the U.K. at 8.16% and 5.67%, respectively. The most impactful ransomware groups during this period — LockBit, Play, RansomHub and Akira — were responsible for 35.11% of all breaches targeting these industries.

Figure 1: The image depicts two-month running totals of ransomware attacks against the retail and hospitality industries in 2023.

Gift card fraud

Gift cards are a popular gifting option during the holiday season. In 2023, Christmas sales constituted 38% of the year's total gift card transactions, with the average consumer allocating about 48% of their holiday budget to gift cards — an increase from 39% the previous year. Cybercriminals target this peak period, aware that both staff and shoppers are likely to be less vigilant amid the seasonal hustle. Furthermore, the simplicity of trading or selling gift cards online, combined with the minimal personally identifiable information (PII) required for purchases, makes tracking gift card fraud particularly difficult. Gift card transactions also are generally smaller than those made with credit and debit cards and therefore arouse less suspicion.

Actors in the gift card fraud ecosystem play different roles in converting the balance of digital gift cards into value. Intel 471 is currently tracking several actors that sell digital gift cards with card numbers and PIN codes for other actors to use in-store or at an online shop. Other actors we’re monitoring seek to purchase gift cards from suppliers at a percentage of a card’s remaining balance. 

Threat actors engage in gift card fraud through a variety of methods that include:

• Account-checking tools: Cybercriminals deploy automated scripts or programs, known as account checkers, to test credentials against website login systems, including user interfaces (UI) and application programming interfaces (APIs). These tools enable attackers to identify successful login combinations, granting them access to stored payment options, bank account details and gift card balances.
• Compromised account information: Attackers take advantage of data breaches to acquire user account credentials. They use these stolen credentials to infiltrate consumer accounts, from which they can either purchase gift cards or redeem existing balances.
• Insider assistance: Malicious insiders within organizations can also play a crucial role in facilitating gift card fraud. They might activate gift cards without receiving payment or provide card details to external fraudsters.

Point-of-sale system breaches

PoS system breaches are a significant concern during the holiday season when retail and hospitality venues see a sharp increase in customer traffic and sales volume. This surge provides cybercriminals with the ability to exploit vulnerabilities in PoS systems, potentially leading to extensive theft of payment card data.

Cybercriminals employ a variety of methods to target these systems, including:

• Malware installation: There generally are two approaches to installing PoS malware. The first involves insiders — often employees with knowledge of the payment processing setup who manually install malware on targeted devices. The second relies on social engineering or phishing to deceive users into installing malware. A common type of PoS malware is random access memory (RAM) scraping malware, which is designed to steal credit card data directly from the system's memory.
• Exploitation of network and software vulnerabilities: Attackers take advantage of weak network security measures, such as default configurations, shared network connections or outdated software, and vulnerabilities — whether known and unpatched or newly discovered.
• Insider threats and physical tampering: Insiders who have access to or work with PoS systems can facilitate fraud, either knowingly by colluding with external attackers or unknowingly through negligence or manipulation via social-engineering tactics. Additionally, physical access to PoS terminals allows insiders to tamper directly with the hardware. This can include installing skimming devices, altering internal components or substituting genuine terminals with compromised ones preloaded with malware or built-in skimming features.

Behavioral threat hunting in retail 

One of the biggest challenges facing the retail and hospitality industries is the speed and sophistication of modern cyberattacks. Threat actors are becoming increasingly adept at hiding their activities, blending in with normal network traffic to evade detection. They also employ a range of tactics and tools, from malicious software and phishing scams to advanced persistent threats (APTs).

Behavioral threat hunting enables faster threat detection and the ability to reduce the amount of time an attacker is present in the network before being detected, a period known as “dwell time.” Businesses can also uncover hidden threats and threats missed by signature-based detection. By implementing threat hunting into their security strategies, retail and hospitality businesses can improve their overall security posture and better protect their networks, customers, and reputation.

Unlike traditional security solutions, which are typically designed to detect specific threats, threat hunting is a more holistic approach that allows security professionals to search for threats and suspicious activity throughout the network. This approach can help to identify threats that are not easily detectable by traditional security solutions, such as those that use encryption or advanced threats that have been carefully crafted to evade detection.

Threat Hunting in Action: A Real-Life Retail Breach

In one real-life scenario, a large retail chain experienced a persistent security breach that went undetected for several weeks. Despite having a well-equipped security team and a range of security solutions in place, the company was unable to identify the source of the breach. That's when they turned to a team of threat hunters for help. The hunters started by conducting a thorough analysis of the company's network traffic, looking for any signs of suspicious activity. They quickly identified a pattern of unusual network traffic that was being generated by a rogue device on the network. Further investigation revealed that the device was connected to a remote server located in a foreign country. The threat hunters determined that the device was running malware that was being used to steal sensitive customer data and transmit it to the remote server.

By focusing on the key behaviors exhibited by the malware, the threat hunters were able to isolate the device and eliminate the threat. They also implemented a series of security measures to prevent similar incidents from happening in the future, including the deployment of advanced threat protection solutions and the strengthening of access controls and network security policies.

Thanks to the quick action of the threat hunters, the retail chain was able to reduce the dwell time of the threat actor. This helped to minimize the amount of data that was stolen, and the company was able to take immediate action to protect their customers' sensitive information.

Recommendations

Prevention strategies

• Implement multifactor authentication (MFA): Enforce MFA across all employee and customer accounts to add an extra layer of security against unauthorized access due to compromised credentials.
• Regularly train employees: Provide comprehensive cybersecurity awareness training for all staff, including seasonal and temporary employees. Focus on recognizing phishing attempts and social-engineering tactics and proper handling of sensitive information.
• Strengthen network security: Implement robust firewalls, intrusion detection systems (IDSs) and intrusion prevention systems (IPSs), and network segmentation to protect sensitive data and systems. Regularly update and patch all software and hardware to address known vulnerabilities.
• Monitor for fake websites and brand misuse: Use brand monitoring services to detect and take down fraudulent websites and ads impersonating your business. 
• Develop an incident response plan: Create and regularly update an incident response plan tailored to holiday-specific threats. 
• Leverage customer awareness initiatives: Inform customers about prevalent scams during the holiday season. 

Detection strategies

• Continuous network monitoring: Implement security information and event management (SIEM) systems to monitor network traffic and system logs for suspicious activities in real time.
• Threat intelligence integration: Work with a trusted cyber threat intelligence (CTI) partner to stay informed about emerging threats, indicators of compromise (IoCs) relevant to your industry, and the evolving tools, techniques, and procedures (TTPs) employed by adversaries targeting your sector. Some threats can only be detected by analyzing CTI data points gathered across the digital threat landscape, such as third-party breaches, compromised credentials, and relevant vulnerability exploits sold on underground forums. CTI data can help organizations understand their threat exposure before   
• Endpoint detection and response (EDR): Use EDR solutions on all endpoints to detect and respond to threats at the device level, including malware infections and unauthorized access attempts. 
• Behavioral threat hunting: Enhance EDR coverage of threats with advanced behavioral threat hunting to identify artefacts and evidence of undetected threats in security log data in EDRs and SIEMs. Running threat hunting queries based on observed TTPs can help quickly identify threats that were designed to bypass EDR systems.   
• Employee reporting mechanisms: Establish clear channels for employees to report suspicious emails, calls or activities.