From the back office to the till: Cybersecurity challenges facing global retailers

How well retailers can manage the surge in cyberthreats may be crucial for their prospects in a post‑pandemic world

It’s hardly surprising that the retail sector is one of the most frequently targeted globally, with retail sales in the US alone projected to top $5.2 trillion in 2022. Consumers’ money and data have for years been a big potential prize for cybercriminals to get their hands on, and the surge in digital investment and online shoppers prompted by the pandemic has only made retail a more attractive prospect for would-be hackers. Malicious insiders, negligent staff and misconfigured or vulnerable software across networks, endpoints and point of sale (POS) devices have all widened the corporate attack surface over the years.

In this context, cybersecurity plays a critical role in protecting customers’ personal and financial data, keeping ransomware at bay and preserving brand reputation. Ultimately it is a means of seizing opportunity – the opportunity to drive closer customer engagement and grow business.

As a new report from ESET makes abundantly clear, the pandemic has already had an outsize impact on the sector. How well retailers can manage the surge in online threats may define their long-term success in a post-pandemic world.

What’s at stake?

COVID-19 has helped to transform retail organizations from the back office to the POS terminal. It’s also exposed them to new cyber-risks. Mass remote working made tools like Microsoft Exchange and Kaseya more popular for communication and IT management. They were duly exploited en masse for data theft and extortion.

More broadly, retailers are exposed at multiple points in their IT infrastructure, including customer databases, POS terminals, marketing automation, web search optimization tools, and payment processing platforms and services. We’ve seen everything from phishing to ransomware, man-in-the-middle attacks to SIM swapping and spoofed mobile apps. In fact, the tactics, techniques and procedures (TTPs) used more broadly in COVID-themed attacks are all present in targeted campaigns against retail customers and businesses.

From POS to e-commerce

POS was traditionally the number one target for data-hungry attackers – most notably in the high-profile breaches of tens of millions of accounts at Target and Home Depot several years back. There’s still a threat here today, as we saw with the discovery of the ModPipe POS malware and the impact of the Kaseya supply chain attacks on some retailers POS systems. However, the widespread adoption of EMV cards – which can’t be cloned as easily using stolen POS data – and new systems like Apple Pay are starting to force more malicious activity online.

That general trend was given a huge push with the advent of COVID-19, with online as a percentage of total retail sales increasing from 16-19% in 2020. Here’s a snapshot of some typical e-commerce threats today:

  • Magecart-style digital card skimming malware has become a major risk to online retailers. One gang compromisedover 2,800 digital stores in just a few days. Another skimming campaign resulted in a £20 million fine for British Airways.
  • More sophisticated card-stealing malware has even been found lurking in CSS files, social media sharing icons, and favicon metadata in a bid to outwit security tools.
  • IIStealer malware, discovered by ESET researchers, is a particularly sophisticated way to steal customer credit cards. It compromises web servers, waiting for users to check out and pay for items. After saving the related credit card information without impacting the user experience, the malware exfiltrates the data to the attackers, hiding it in legitimate website traffic. In this instance, even the HTTPS padlock is no protection for users, as IIStealer waits for requests to be decrypted on the server side before logging information from them.
  • E-commerce plugin malware such as a 2020 campaign which exploited security bugs in WordPress plugin WooCommerce to provide access to the website’s database.

Protecting e-commerce servers

For retailers, these risks are heightened by the presence of rigorous data protection regulations like the GDPR and the Californian CCPA, alongside industry data security standard PCI DSS. Non-compliance could result in major fines and reputational damage, leading to customer churn – a serious risk in an industry where loyalty is hard won but easily lost.

There are no silver bullets for solving these challenges. And best-practice cybersecurity should have multiple layers to it, from the end user to the endpoint. But at a high level, retail IT security teams can help to mitigate some of these risks by better securing their back-end e-commerce servers. Consider the following:

  • Use dedicated accounts with strong, unique passwords for admins
  • Require multifactor authentication (MFA) on all administrative and more privileged accounts for extra protection
  • Regularly update the server’s operating system and applications, and carefully consider which services are exposed to the internet to reduce the risk of exploitation
  • Protect customer data at rest with encryption, which will render it useless to thieves
  • Consider using a web application firewall, as well as a reputable security solution on your server
  • Deploy robust, multi-layered endpoint defenses to prevent, detect, and respond to threats

Retailer IT environments span everything from back-end logistics and CRM to the front-end e-commerce store and POS terminals in brick-and-mortar stores. That’s a large target for the bad guys to aim at. As online business continues to grow and digitally transform, the key to competitive advantage will increasingly be defined by how well risk-based cybersecurity strategies stack up.