Verizon Data Breach Report: How Bad is it for Retail?

Each year Verizon puts out a comprehensive report on the latest trends in cybersecurity attacks, and for the 2022-23 period that it looked at for its June 6 release, the picture it paints for the online retail sector is of a worsening situation.

Retail Has It Tough

While it’s true that payment card breaches have been trending down since 2018, in the last year, they’ve taken a sharp upturn. Cybercriminals continued to steal payment card data from retailers, and they used their old favorite, Magecart attacks on 18% of all occasions. Visa recently added weight to this statistic when it noted that such attacks have increased by 176% over the last six months, and Recorded Future reported that up to 10,000 sites were breached by them last year. The report notes that this is an extra burden that retail carries on top of the ransomware and basic web application attacks suffered by every sector.

The 2023 report reveals that 406 data breaches affected the retail industry, and 193 of these cases involved data loss. System intrusion, social engineering, and basic web application attacks accounted for 88% of these incursions. 37% of the data that thieves made off with was payment information, 35% was listed as ‘credentials’, 32% was ‘other’, and 23% was personal information.

Motivations

It comes as no surprise that the lion’s share of the data is payment information because the report also states that the leading motivation for all data breaches at 94.7% continues to be money (and snagging credentials and personal information will certainly help in that regard too). 100% of retail website attackers are in it for the money, so while we may hear reports about state-sponsored espionage being behind a lot of attacks, Verizon’s statistics suggest that most are simply after cash.

The report also reveals that close to 75% of all attacks are carried out by organized criminals, which is bad news because most professional attackers are highly determined, and not just kids engaged in a little cyber vandalism.

The report says that online retailers are still very much, “…lucrative targets for cybercriminals.”

Magecart: Still Popular

Magecart, or web skimming attacks, grab data entered into payment forms on checkout pages and sends it to a remote device controlled by the attacker. They find ways to compromise the third- and fourth-party JavaScript code that almost all websites rely on for things like tracking pixels, advertising, and shopping carts. This is why it’s so important to use a solution like Reflectiz which alerts site owners to any unauthorized code changes before they can steal customers’ payment information.

Because breaches of this type don’t affect the functionality of your website, intruders can go about their business stealing customers’ payment data undetected. Without enterprise-level continuous monitoring, breaches of this sort go unnoticed for an average of 212 days—time enough for such attacks to inflict a huge amount of damage.

Attack Vectors

To quote the report, “While we freely admit that we don’t always know how these Actors were able to access the web application and upload their bad JavaScript, we have seen them use several different tricks.”

We can take a guess here as to how they do it because stealing access credentials is still the most popular initial attack strategy for gaining entry into an organization’s network. This is a reminder that social engineering, otherwise known as tricking people into handing over information by exploiting human fallibility, will probably always be the path of least resistance for attackers.

The report puts it a bit more kindly, talking about: “…tactics used by threat actors that leverage our innate helpful nature to manipulate and victimize us.” These attackers combine a false sense of urgency for us to offer a reply or perform an action. They might fake a petition from some authority or tap into existing communication channels to make their requests.

Pretexting

The 2023 VDBR notes that social engineering was used as an attack vector in 17% of breaches, and it mentions a more recent type of social engineering attack called pretexting, so named because the attacker creates a pretext or situation and uses it to influence the victim to hand over information that they normally wouldn’t give to anyone outside of that situation.

You may have come across early, primitive versions of this type of approach in the form of phishing emails. The sender usually claims to be a rich person who will be moving to your country from overseas. They say they need to move their money between countries, and if you’ll only give them your bank details to help them do that, they will reward you for your trouble with a nice percentage.

Since these unsophisticated attempts, attackers have been fine-tuning their strategies, shortening the time that it takes from initial contact to when a target becomes a victim. One of the main things the report says they are after is stolen privileged access credentials to systems where they can blend in unnoticed. Verizon discovered that the percentage of stolen credentials used in all data breaches went up from 41.6% to 44.7% over the year, and pretexting use has doubled.

Once, they are ‘in’, the attackers have lots of options. They can steal credit card data for themselves or sell it to others on the Dark Web (and the report says that around 35% of them do so) or they can hold the business hostage with ransomware (as around 40% do). 83% of ransomware victims pay up, handing over an average of $925k.

Conclusion

This year’s VDBR makes it clear that the retail sector remains a prime target for threat actors who are looking to exploit payment pages to steal customer card details. The number of attacks is rising again, and threat actors are refining their methods, so the need to protect retail websites with an advanced risk detection and mitigation platform like Reflectiz is more important than ever. Try it today and protect your business from becoming a statistic in next year’s report.