The following story shows what happens when loyalty cards are stolen and sold on the Dark Web. While Tech Town is not a real company, the challenges they face are shared by organizations in all industries.
Jake was hired to work over the holidays at one of the two Tech Town stores in the city. A number of temporary staff were hired for their store operations, but Jake is trained as a cashier. It is his third week on the job.
Jake does not usually shop on Black Friday, but he has been prepared by management to expect the worse. Crowded aisles, impatient customers, slow payment processing – it was one of their busiest shopping days. It is not unusual to experience minor hiccups throughout the day.
As the day unfolds, customer after customer file by his register and he rings through their purchases. Tech Town also allows customers to collect and redeem loyalty points. More so than any other day, Jake starts to notice a trend of purchases paid for through this loyalty program. Several other cashiers notice this trend as well, but there is no time to speculate when they are this backed up with customers.
The Social Imposter
The social media accounts for Tech Town are managed entirely by Denise, a junior member of the marketing team. Denise uses a social media management platform to schedule her posts, communicate with followers, and listen for mentions of her brand. She looks at positive and negative posts and brings serious ones to the Director of Marketing’s attention.
While Denise monitors for negative brand mentions, it is only by chance that she spots an imposter social media account. It’s already past 10:00 am, the day is already well underway. The imposter account has been live for at least a few days based on their feed. Since they are sharing links to the Tech Town website, she debates over what she should do next.
Around this time, the customer service team is starting to receive strange complaints from customers. They are reporting issues with the website including difficulties logging in, accessing their shopping lists, and making purchases.
Jane, the Team Leader on the floor that day, is alerted to the complaint and verifies the site to see if the issues are there. Unable to replicate the issue, she sends a request to the IT team to investigate.
Tracing The Threat
Meanwhile, Denise pops her head into the IT office. As she relays her story about the imposter social media account, Alonzo looks immediately worried. As the Security Administrator for Tech Town’s website, he knows an imposter account can cause serious problems and, worst-case scenario, it might explain some of the reported issues with the website.
Alonzo and his team check on a fairly regular basis to make sure Tech Town’s brand is not being targeted or impersonated online. It’s possible the account went live after their last check, or it was missed entirely.
As he investigates the social media imposter, his fears are confirmed. The website they are linking is not the Tech Town website. It’s a look-alike site, a phishing site, used to obtain Tech Town customer credentials. It could not have happened on a worse day and Alonzo knew he would need to act fast to mitigate the risks. A threat like this, on Black Friday, would affect more than just his department, but also the organization as a whole.
By the time the executive team is informed the following week, the imposter social account and website had already been taken down. Jake’s store was not the only one seeing a huge increase in in-store payments made from loyalty accounts that weekend. Tech Town’s other store in the city was also hit, as well as locations throughout the state. Alonzo’s team is still investigating the incident, and while the site has been taken down, they still only have part of the story. Denise was able to alert customers on social media of the imposter account, but customers are not made fully aware of the problem. Customer complaints continue to flood in.
Can you guess the real problem?
The Real Problem
Denise was the first person to identify the problem, but she was only half right. The website used by the social media imposter was not, in fact, the Tech Town website. Had she noticed this immediately, she might have known the urgency of the situation. Unfortunately, this fact was only discovered by Alonzo. Even then, Alonzo was so focused on resolving the website problems that he did not account for the loyalty program, which was handled separately from the website. Most Tech Town customers used the same password for both accounts, and loyalty points were the real goal.
Here is what happened: An imposter social media account helped promote a phishing site in the week leading up to the incident. The phishing site, which was shared and used by many Tech Town customers as they planned their Black Friday purchases, was able to collect a large number of account credentials. These were used then to access customer loyalty accounts on a separate site. The loyalty points being used by Tech Town stores that day in large part came from this hack. This is an example of organized retail crime.
Where They Went Wrong
- No security culture: Tech Town does not provide security awareness training to all employees. Without the right level of awareness of potential security threats, the left hand did not know what the right hand was doing.
- Manually searching for threats: Manually searching for threats to the Tech Town brand is time-consuming and ineffective. The Internet is vast and there is a growing number of threats being perpetrated across industries, including retail, by increasingly sophisticated and well-funded bad actors. In simple terms, it is not humanly possible to manually search the Internet for threat intelligence. Despite their best intentions, Alonzo’s team was not set up for success.
- Lack of resources: Tech Town is not as big as some of its competitors. They have a lean department to oversee cybersecurity and threat intelligence. They have technology that is intended to secure their network and sites, but they do not have the time or resources to investigate potential threats to their customers and the Tech Town brand across the Internet.
What They Could Have Done Differently
Security operations are evolving, and are currently in a state of flux, moving too slowly to keep up with the rate of technological advancement. Common ground is needed to ensure nothing falls through the cracks. Where security operations converge, threat intelligence provides the common ground.
Organizations must be committed to learning about the role security plays across departments, and how they impact each other. Cybercriminals devote their resources to research and discovery of new offensive measures. Strategies and technologies based on previous cyber-attacks are not yielding the desired results. Cybersecurity professionals need to safeguard against all known vulnerabilities, whereas cybercriminals need only exploit a single vulnerability, known or unknown. Hacker intelligence has an important role to play in closing the gap between cybersecurity professionals and cybercriminals by identifying potential instances of brand impersonation, Internet chatter related to a targeted attack, potential data breaches, and other threats that leave a trail on the Internet.
Approaching threats in the age of interconnectedness can only be done with an open mind. Organizations spend considerable resources on defensive measures, but threat actors are able to devote their resources to innovate new offensive and attack measures. Continuing focus on infrastructure upgrades based on past attacks will not always yield results. Organizations must collect up to date threat intelligence to keep up with the dynamic behavior of threat actors.
Security risks addressed holistically by the entire organization ensures that the focus is on all the different parts of the system, rather than as distinct parts functioning alone. Media Sonar recently launched Threat Models to support the growing need for threat detection and intelligence. Threat Models detects risk to critical and protected assets, automatically collects threat intelligence data and threat actor information. Developed as an operational hub for security intelligence that blurs boundaries between cyber and physical security, Threat Models use Internet data and chatter to automatically help organizations learn, challenge assumptions, and triangulate to reduce vulnerabilities and, ultimately, successful attacks.