Cybercriminals are constantly evolving their tools and tactics for breaching corporate networks. As retailers get better at protecting their networks from traditional cyberattacks, hackers are adapting to this challenge by finding new security weaknesses, updating old tricks and exploiting new corporate blind spots that have been created by hybrid work, the rise of non-email digital communications and the increasingly blurry line between personal and professional accounts.
Over the next year, retail executives should expect to see a variety of different tactics by hackers that will catch their employees, IT teams, contractors and vendors off guard. These attacks will bypass standard security protections like email monitoring, SMS-based dual-factor authentication, VPNs and more.
Chances are the next big retail breach will be caused by one of these four attacks:
As email security solutions get better at blocking traditional phishing messages, they are pushing cybercriminals to up the ante by impersonating real accounts.
Known as “CEO fraud,” this more sophisticated attack hijacks the persona of a top executive in order to carry out secondary phishing attacks on other key employees — as well as customers and vendors. This type of attack usually happens in one of two ways: the cybercriminal will actually hack the executive’s real work or personal email account, which allows them to bypass standard email protections and send more convincing phishing attacks; or the hacker will simply “spoof” the executive’s email without actually taking it over, although it will look the same to the recipient.
CEO fraud can be extremely convincing for employees (especially remote workers who lack physical access to the executive) since the communication comes from a trusted authority. These attacks frequently avoid triggering security alerts or spam warnings, and sophisticated hackers will research their targets ahead of time to craft very convincing messages — much better than a traditional email spam. Hackers may even use a technique called “conversation hijacking” to be even more convincing, by sneaking into an earlier legitimate email thread.
Another common tactic in these attacks is for hackers to begin the conversation in email and then transition it to another messaging channel where traditional security checks aren’t available — such as WhatsApp or SMS.
Hackers are also skipping the inbox altogether by moving to other digital platforms where there are fewer corporate monitoring tools in place to catch them.
Among the many alternatives to email, LinkedIn has emerged as a top choice among cybercriminals for targeting business executives, HR managers and sales teams with “spearphishing” attacks.
These attacks can be very sophisticated. Cybercriminals will build realistic LinkedIn profiles (often copied from legitimate users) to impersonate executives, product manufacturers, executive recruiters or job applicants, and they will cultivate a large network of connections to appear legitimate. These attacks may even leverage AI tools to create “synthetic” headshots that are difficult to identify as fakes.
The actual attack takes place in LinkedIn’s messaging channel, where the hacker will try to solicit information or get the victim to visit a malicious link. If clicked, this link may either infect the person’s device with malware, or it will steal their credentials by imitating a legitimate login page. While LinkedIn does scan attachments sent through its messaging channel for possible malware, sophisticated hackers may be able to beat this security check — or they will circumvent it by convincing the victim to move to another platform that does not have this type of security.
Although retailers are doing a better job of protecting company accounts from traditional password hacking, these accounts can still be vulnerable to another attack that skips the password altogether.
This attack is known as “pass-the-cookie,” and most companies overlook the threat. The attack can target any web browser-based account (such as email, Slack, etc.) by stealing the authentication or session “cookie” that a browser creates for the user so that they don’t have to log in each time.
By stealing this cookie, a hacker can then log in as the real user and essentially gain control of the account.
What makes this attack so dangerous is that it can bypass even a well-protected account. It is also invisible to both the victim and the company. Microsoft recently warned of a large-scale criminal campaign that used pass-the-cookie tactics to target more than 10,000 organizations.
Pass-the-cookie attacks are now increasingly common among cybercriminals. They are also getting easier for lower-skilled criminals too, since there are many forums in the Dark Web that sell these stolen cookies.
Dual-Factor Code Theft
Hackers are also learning how to bypass dual-factor authentication protections — by stealing these one-time codes.
One tactic that is increasingly popular among cybercriminals is the mobile phishing attack. In this attack, a hacker will often impersonate the company’s IT department via SMS or WhatsApp to trick an employee into sharing their account credentials and dual-factor authentication codes for an important IT service such as Office 365, VPNs, remote access or identity management platforms, on the pretense of updating their service or authenticating their account. A criminal campaign known as “0ktapus” breached over 130 organizations using this attack in 2022, including many prominent brands such as Twilio and DoorDash.
Similarly, hackers can also target multi-factor authentication (MFA) apps using a tactic known as the “MFA fatigue attack.” In this attack, the hacker already has the employee’s account login credentials, so to overcome the required MFA approval, he or she simply bombards the employee with auto-generated approval requests in the app until the person becomes so annoyed or overwhelmed that they click to accept the request in order to stop the deluge of prompts.
How to Reduce Your Risk
All four of these attacks are in wide use today and retailers should be planning for how – not if – they will impact their organizations.
Since these attacks undermine the traditional security tools that most companies rely on, it’s important for retail executives to ensure their organizations have a layered defense strategy that is more resilient to these changing tactics. Here are some key measures companies should take:
- Have strict, well-understood company policies in place for how sensitive tasks, like payment authorizations, IT updates, password reset requests, document requests, etc. are to be handled by employees, executives and IT teams. They should have a prescribed process that must be followed, with dual authentication as a mandate.
- Transition the company away from SMS as the means for receiving dual-factor authentication codes. Use MFA apps instead since they are less susceptible to theft, spoofing and phishing attacks.
- Avoid using the browser-based version of important communication or work management services. Only use the web app or mobile app version.
- No single employee should have any more access to the company network, accounts or sensitive data than is required. Access should be regularly scrutinized and any unused — or “zombie” — accounts should be eliminated.
- Assume any online platform used by the workforce to communicate and manage projects will be breached at some point. To offset the potential damage, make sure all files uploaded and shared are encrypted, with unlock codes sent via a separate secure channel. Employee teams should also remain as segmented as possible within these platforms to avoid a wider ranging breach.
- Increase the security of executives’ home networks by hardening the modem/router, segmenting the WiFi network to avoid riskier devices (e.g., child’s game console), having the home “penetration tested,” installing antivirus on all devices and ensuring all devices are kept up to date.
Dr. Chris Pierson, CEO and Founder of BlackCloak, served for over a decade on the U.S. Department of Homeland Security’s Privacy Committee and Cybersecurity Subcommittee. He is the former president of the Federal Bureau of Investigation’s Arizona InfraGard and the former Chief Privacy Officer for Royal Bank of Scotland’s U.S. operations, and past CISO for two fintechs. Dr Pierson is also a Distinguished Fellow of the Ponemon Institute.