Fraudsters favor retail networks even as EMV, coronavirus remove opportunities
Even before the coronavirus outbreak, cybercriminals were shifting their attention away from point-of-sale terminals — but the retail industry still absorbs the most attacks seeking to compromise databases or networks.
The adoption of EMV-chip card security, as well as a heightened awareness of the need for encryption in the years following major retailer breaches, made the point of sale a less appealing target to attack directly. Thus, fraudsters were already turning to new exploits even before the pandemic cut off their access to the physical point of sale.
For example, business email scams are a major concern, according to the U.S. Secret Service, which notes that the loss of hallway interactions among employees makes them more vulnerable to being tricked by scammers impersonating a boss or vendor.
In light of these trends, the Payment Card Industry Security Standards Council continues to stress the importance of human awareness and intervention.
The PCI Council cited a 475% increase in malicious attacks related to coronavirus in March, while also noting 41% of small businesses a year ago had already said they were hit by a breach that cost them more than $50,000 to recover.
The best response for small businesses is to reduce where payment data can be found, the council noted. With so much carry-out and curbside pickup taking place, it is best for business owners to not write down payment card information, but instead enter it directly into a secure terminal.
It is also a good time for merchants to make sure that weak or default passwords are not being used in networks containing payment or personal information. Weak passwords remain a frequent source of breaches, the council said.
The coronavirus has accelerated a shift in fraud trends that the security research and fraud prevention firm Trustwave already observed last year in preparing its 2020 Global Security report.
At 24% of all attacks, retail stands as the most affected industry, according to Trustwave. That put retail payments networks at more risk than even financial institutions at 14%.
Once that attacker has made a move, the corporate and internal networks are targeted the most at 54%, followed by e-commerce at 22%, cloud environments at 20% and the POS at only 5%.
The drop in attacks at the point of sale, mostly because of EMV chip cards becoming the norm across the globe to derail counterfeit card fraud, is a sharp contrast with just four years ago when more than 30% of breach investigations at Trustwave started at the retail POS.
"EMV chips foil most malware at the front end, [but] there are still effective ways to invade POS environments," said Steve Hunt, senior analyst and expert of cybersecurity at Aite Group. "Phishing for user credentials and financial data are lucrative in themselves and open the door to ransomware and lateral attacks inside the network."
In possibly seeking easier attack paths and more return on their investment, cybercriminals have focused the majority of their attacks on finance and insurance markets and the internal corporate network in those industries, Hunt said.
"Business email compromise is big business," Hunt said. "Always a needling concern for comptrollers and CFOs whose staff shelled out billions over the last few years in fraudulent wire transfer requests, now business email compromise is attracting more attention from attackers armed with more sophisticated phishing and social engineering techniques."
In scanning security systems, Trustwave said it mostly encounters attacks and misconfigurations involving Secure Sockets Layer encryption, as well as the potential impact of Microsoft ending its support of Windows 7 and Windows Server 2008.
Attackers exploit vulnerabilities in back-end database management systems because web apps generally use those systems. If an attacker can get into the system, damage to sensitive information or underlying operating systems is likely, the report stated.
Calling it a "recent and odd phenomenon," Trustwave noted that ransomware — a type of malware that holds systems for ransome — uses databases to distribute itself, targeting unprotected databases running on Windows and capturing passwords and SQL database management commands to upload malicious files.
Trustwave has found that an improperly configured SSL can introduce new vulnerabilities. It was, in fact, among the company's top security trouble areas of the year.
The end of Microsoft support for Windows 7 2008 came on Jan. 14, 2020, a similar process to its end of support for Windows XP in 2014. Still, Windows 7 accounted for nearly 30% of desktop and laptop users in December of 2019, down from 41% in the beginning of the year. "There are still a lot of Windows 7 computers in the world, and hackers are ready to pounce on new vulnerabilities," the report stated.
Once viewed as a key entry point to obtain password or other access information, email spam has continued to decrease from its high of 87% of all inbound email being spam in 2010 to only 28% in 2019.
Of those spam emails, 39% touted phony pharmaceuticals or health care products in an attempt to secure personal or payment data from victims.
While certain types of online attacks are decreasing, attackers continue to deliver malware through fake notices claiming the user's browser or one of its components is out of date. On average, Trustwave said it would encounter 174 fake updates per day in 2019.
Another encouraging sign regarding the current safety of POS terminals is that Trustwave detected no malware samples affecting POS environments during investigations last year. "This represents the culmination of a multi-year trend of year-over-year decreases from 40% of malware samples in 2015," the report stated.
Ultimately, attackers continue to view humans as "the lowest hanging fruit" in terms of being able to compromise a system when automated attacks are stifled by prevention technology.
"An effective defense strategy means looking out not only for attacks targeting technological weaknesses, but also watching for attacks that seek to exploit human factors like ignorance, fear, curiosity and greed," the report stated. "The organizations that do the best job of protecting their assets from attack do so, in part, by cultivating a smart, savvy, skeptical user base that knows what kinds of attacks to look for and how to respond when they see them."