Threat Actors Put $1 Trillion Shopping Season in Their Sights

Ransomware remains a lucrative strategy for threat actors, but extortion that targets retail during the holiday season could be quite lucrative for ransomware groups. 

Retail can be a juicy target for cyberattacks year-round, and that risk -- for retailers, their supply chain, and their consumers -- is amplified during the holidays. This year, online and in-store retail sales in the US could add up to more than $1 trillion, according to research and advisory company Forrester. And where that much money is flowing, cyber threat actors are always looking for their slice of the pie. 

Nearly 12,000 people reported cybersecurity scams to the FBI’s Internet Crime Complaint Center (IC3) during last year’s holiday season. Those scams resulted in more than $73 million in losses, according to the Cybersecurity and infrastructure Security Agency (CISA). The average cost of a data breach in the retail space is $3.48 million, according to IBM’s Cost of a Data Breach Report 2024.

What are some of the top threats facing the retail industry? How can enterprise leaders in this sector protect their organizations and their consumers?  

Retail Risks 

The retail industry is no stranger to large-scale data breaches and the need to respond fast is critical this time of year. “You could imagine a bad actor coming in and trying to take over retailer systems … with the expectation that the retailer may want to pay very quickly to handle the ransomware attack to get their systems back online so they don't lose out,” says Sean McNee, vice president of research and data at DomainTools, an internet intelligence company.   

Related:The Importance of Empowering CFOs Against Cyber Threats

Financially motivated threat actors can unearth and exfiltrate a trove of valuable personal information when they successfully breach a retailer or one of its vendors.  

“The complex design of ecommerce platforms, featuring dynamic websites and applications, increases the risk of information leaks due to poorly secured APIs, mismanaged user input, and inadequate data management practices,” Shobhit Gautam, staff solutions architect at security platform HackerOne, tells InformationWeek in an email interview.  

Data stolen from retailers is a valuable tool for fraudsters. Phishing and smishing are tried and true tactics that target consumers. Threat actors posing as legitimate retailers or delivery services, for example, will text consumers requesting personal information that enables theft.  

Brand impersonation campaigns can also lure victims with promises of earning cash. Threat actors will pose as a major retailer, like Amazon or Walmart, and offer people the possibility of remote work.  

Related:5 Questions Your Data Protection Vendor Hopes You Don’t Ask

“What they're doing is stringing you along, making you think you have a job so you can earn some extra cash for the holiday season. Instead, they're just taking your money and running,” says McNee.  

Web skimming attacks are another common tactic. “Magecart is an umbrella term for various cybercriminal groups specializing in web skimming attacks. These groups inject malicious JavaScript code into ecommerce websites to steal payment card information during checkout,” Gautam explains.  

GenAI adds another dimension to the onslaught of attacks faced by retail and other industries. The technology can make phishing lures and sites much more convincing. Threat actors can also use AI in brute force attacks. 

“AI can leverage botnets to carry out brute force attacks on gift card websites that can test thousands of card numbers and pin combinations per minute. This allows threat actors to exploit gift card balances and deplete account funds,” says Gautam. 

Successful attacks in the retail space can result in consumer fraud, downtime for stores, lost revenue, and lasting brand damage.  

Threat Actors  

While GenAI empowers more threat actors with low technical skills, there are a number of larger groups known for targeting retail. For example, LockBit and Play are two ransomware gangs known for attacking the retail sector, according to cybersecurity company Trustwave.  

Related:Facing the Specter of Cyber Threats During the Holidays

While law enforcement disrupted LockBit earlier this year, the group quickly reemerged. “LockBit … may be trying to target the retail sector this season try to make some quick cash,” says McNee.  

Some threat groups out of China are angling for Black Friday shoppers, leveraging phishing to their advantage. Threat intelligence company EclecticIQ highlighted a campaign run by SilkSpecter, for example. 

While financial motivation is a major factor, other threat actors could target the retail space simply to gain attention. McNee points to current geopolitical tensions and the possibility of politically motivated cyber actors targeting retail to amplify their message. “Given the geopolitical landscape that we live in now and have moved across for the last year or two, it would not surprise me to see some sort of attempt happen this holiday season,” he says.  

Retail Response 

With billions of dollars of revenue and consumer trust hanging in the balance, how can retail organizations navigate a season of busy shoppers and busy threat actors? 

While holiday shopping may mean cyber threats are ramped up, the foundation for defense is the same. “I can't say there's some silver bullet this time of year to preventing things. Compliance and security are a 365 days a year thing,” says Brent Johnson, CISO of Bluefin, a payment and data security solutions company.  

Johnson notes the shift some retailers are making to end-to-end encrypted and tokenized payments.  

“Make sure merchants [are] aware these products exist,” he urges. “That way they're not really targets of fraud or targets of breaches because they just don't have the data anymore.”  

Retailers have the responsibility to protect their consumers’ data and to keep them informed about the risks they face from threat actors.  

“Retailers could … spend some time reviewing social media platforms to see … if people are complaining about fraudulent messaging or bad actors pretending to be related to [their] brand,” says McNee. Retailers can work to educate their consumers on ways to recognize those impersonation and fraud attempts.  

Even retail organizations with strong cybersecurity defenses can still fall prey to persistent threat actors. When that does happen, it is essential that enterprises have thorough and tested incident response plans in place to mitigate the length and severity of an attack.  

“These are all best practices but ones that can really make a difference during this holiday season,” says McNee.