Some industries are more likely to attract particular kinds of threat actors than others. The retail and hospitality industries for instance are very attractive targets for cyber criminals as both collect and process large quantities of personal and financial data. This is similar to the banking industry but, whereas major bank breaches are now considered to require sophisticated operational procedures and have become the preserve of highly specialised groups, the retail and hospitality industries remain prime targets for criminals of all capabilities.
Retail and hospitality firms typically operate in highly distributed and rapidly changing environments requiring close connectivity with supplier networks. Both increasingly rely on internet of things (IOT) devices and new technologies for payments, authentication and engaging customers, as well as depending on antiquated technologies such as point-of-sale (PoS) systems, which can often be based on older operating systems such as Windows 7 or XP. This contributes to an expanding attack surface which is difficult to manage from a security standpoint. In some countries PoS systems have even been discovered to have been infected with malware before they are installed in retail locations. All of this culminates in the creation of an attractive environment for cybercriminals of various capabilities, from sophisticated actors avoiding the extra attention that comes from targeting banks to those that are only capable of targeting ‘low-hanging fruit’.
In terms of cybercrime, FIN7 is currently one of the most highly publicised adversaries to the retail and hospitality industries. Suspected to be of Russian origin, this organised crime group (OCG) is not only prolific, but also professional and capable. Yet the group has shifted its focus from financial services industries, now choosing to target retail and hospitality time and time again. They have breached Omni Hotels & Resorts, Trump Hotels, Jason’s Deli, Whole Foods, Chipotle, Saks Off 5th and Lord & Taylor to name but a few. FIN7 have a particular specialism in breaching PoS systems to harvest large quantities of financial data. FIN7 have close ties to the Carbanak group, being widely assessed to be one of the numerous splinter groups which formed following arrests of group members back in 2015/16. This provides the group with access to some of the same malware and tools as have been used in operations that stole upwards of USD 1 billion from banks and financial services industry members. The deployment of this toolkit against the relatively unprepared members of the retail and hospitality industries has been a very profitable course of action.
In March 2018, law enforcement announced that the leader of the Carbanak and Cobalt OCGs was arrested in Alicante, Spain. Could this arrest impact on the retail and hospitality industries? Possibly. The extent of the overlap of between FIN7, Carbanak and Cobalt remains unclear. Although the arrest is likely to cause an extra degree of caution, it is unlikely that the group (or groups) will completely disband. Indeed, only a few days after the arrest, it was reported that a new batch of compromised credit and debit card data called “BIGBADABOOM-2” had been posted on Joker’s Stash carding store, reportedly obtained from a FIN7 breach of the Saks Fifth Avenue and Lord & Taylor department stores.
Stolen credit card data being advertised on a carding site
In addition to targeting the criminal groups themselves, efforts are also being made to target the places where they monetise their stolen data. In July 2017, law enforcement shut down AlphaBay and Hansa – two of the largest dark web marketplaces. While primarily focused on the drugs trade, these services also had thousands of listing offering fraud-related material. Unfortunately, disrupting dark web marketplaces and carding sites is like playing whack-a-mole; new players will emerge, or smaller market places will benefit from increased demand following a shut down.
Breaches against the retail and hospitality sectors, particularly in the United States have emphasised the importance of transitioning to more secure EMV (Chip and Pin) PoS terminals which can prevent the base card details from being easily intercepted by embedded malware. Many large chains in the US are yet to fully migrate from magnetic stripe terminals (despite a legal obligation to do so). Despite ongoing attempts to shore up security in this area, PoS remains one of the main targets for criminals. One recent incident involved a PoS supply chain attack, in which an OCG compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems in late 2016. It is likely that this was an attempt to steal MICROS customer usernames and passwords when customers logged in the support Web site.
While PoS breaches are the predominant threat associated with retail and hospitality industries, others exist which can be considered particularly pertinent to both industries. For instance both heavily rely on seasonal trade. A shrewdly-timed cyber extortion attack during peak season could place a firm at the mercy of even low-capability attackers. Ransomware, DDoS, data exposure or wiper attacks during the crucial Christmas period for instance or just before a major sporting event such as the World Cup could significantly affect profits. At the beginning of the ski season last year, a four-star hotel in Austria was reported to have been hit by a ransomware attack in which hackers disrupted the controls of locks on guest rooms, causing paying guests to be locked out of their rooms. The hotel manager later disputed this; however, he did acknowledge that the hotel could not program keycards for the guests checking in on the day.
The comparatively high staff turnover rate (particularly in retail) coupled with low cybersecurity awareness in both industries creates opportunities for external attackers and insider threats. Researchers have identified FIN7 to conduct a campaign focussed on restaurant staff which could be designed to limit the effectiveness of corporate security initiatives.
OBLIGATORY GDPR STATEMENT
As has been exhaustively reported throughout global media, the General Data Protection Regulation (GDPR) was recently launched across Europe and the UK. Despite much breathless commentary and significant levels of hype, as handlers of significant amounts of personal data it is in industry members’ best interests to ensure they have appropriate training and security resources in place to avoid the hefty fines that could result from the mishandling of data. A recent focus on the creation of personalised customer experiences, which have resulted in clients allowing both industries to collect larger amounts of personal data, could backfire if a breach is not handled correctly. As a consequence, cyber-attacks could have a greater emotional impact on the victims, leading to a greater fallout effect on sales.
Without a significant hardening of security measures and modifications to existing security culture, retail and hospitality will continue to be two of the most highly targeted industries by cyber criminals. Barriers to entry for cybercrime are falling, with more activity from lower-capability criminals expected, particularly in relation to cyber extortion attacks. Higher-capability attackers such as FIN7 will be unrelenting in their attacks.
Members of the retail and hospitality industries should be sure to stay informed about the latest developments and review how they’re handling their security, not only to avoid the prospect of considerable GDPR fines, but also to protect critical assets and customer loyalty. A proactive approach, including the adoption of industry- and actor-linked threat intelligence to understand and respond to specific issues, will ensure resources are directed to where they are most needed while making it more difficult for cybercriminals.
Find out more about our cyber intelligence services
Subscribe to receive free updates
If you'd like to be kept updated on our blog, why not subscribe?
We will never give away, trade or sell your email address. You can unsubscribe at any time.