Spotlight on R-CISC Member: SpyCloud: How the Grinch Stole Your Customer’s Account
Spycloud: How the Grinch Stole Your Customer’s Account

It’s mid- November and the hectic holiday season is top of mind for many organizations.  There are only a few more days before the threat level increases.  As early deal-hunters start to strategize ahead of Black Friday and Cyber Monday, so too, are cyber criminals strategizing to exploit the fact that security teams will be taking time off. With the existing fraud levels at an all-time high for sectors traditionally hit hard by holiday fraudsters (such as Retail, and Media and Entertainment), it’s never too early to prepare.

‘Tis the season to be vigilant

The increased risk of account takeover and other types of fraud during the holidays is no big surprise. According to electronic payments solution provider ACI Worldwide, twice as many fraud attempts were observed between Thanksgiving Day and December 31, 2016 as were during those same dates in 2015. In their January 2017 report, ACI reported that fraud attempts were observed in greatest concentration on Christmas Eve and on Shipment Cut-Off days. This may suggest that criminals are indeed going after last-minute shoppers making purchases as the season winds down.

Further, as the holidays approach, your organization is laser-focused on revenue. Many organizations enter into a lockdown period – a time when they do not allow changes to their infrastructure to minimize impact on payment processing systems.  While this can ensure stability for incoming revenue, it can spell trouble during a security incident by limiting the ability to react quickly. That’s why it pays to have account takeover (ATO) prevention in place before the ability to implement new security features is diminished.

How does the Grinch do it?

The sequence of events that follows a breach has become fairly predictable, leading to secondary ATO compromises on a variety of sites.

A breach occurs or a site is compromised in some other manner.

The threat actor acquires leaked credentials directly from the breach or by purchasing pre-assembled lists of username/password pairs (combo lists) from an underground market. Some underground websites even advertise the expected success rates of their combo lists.

The criminal loads his combo list in an automated credential stuffing tool, and with the help of botnets, tests the stolen credentials against many other sites at once (for instance banking, gift card, or online marketplace sites). One such credential stuffing tool that has gained in popularity for its ease-of-use is Sentry MBA.

Upon successful login, the attacker is able to perform account fraud, spam, and PII theft. 

How are attackers getting this information so easily? On average, attackers are seeing up to a 2% success rate for gaining access to additional accounts belonging to the same user due to one simple thing: password reuse.

It’s actually surprising that the success rate isn’t higher. A recent password-use study of roughly 1 billion leaked user accounts concluded that 20% of users were reusing passwords and 27% of users used a password that was nearly identical to other account passwords.Because password reuse is so rampant across all industries, threat actors can usually expect a decent return on their investments when purchasing fresh credential dumps on the black market.

How can SpyCloud help?

At SpyCloud, we aim to empower our customers through actionable and proactive solutions by automating ATO prevention and letting them know their exposure so that they can remediate potential problems before they occur.  Our researchers have deep expertise in the tactics used by threat actors. We routinely see credentials along with a victim’s PII for sale on dark net markets and within private communities. This information translates directly to identity theft as the use of theses compromised credentials can be automated to scale attacks to massive levels.

Our team of researchers discovers and recovers stolen credentials and other assets primarily through human intelligence collection and analysis. Each month, we acquire hundreds of millions of records from the dark corners of the internet. These records impact individuals and organizations globally. We validate and ingest these records into a central database, then analyze and match the assets which correspond to items in our customers’ watchlists. When we find a match, we force a password reset and notify our customers immediately so that they can mitigate damage proactively.
Read More
Featured Guest R-CISC Blog Post: Akamai: 5 Things You Should Be Doing to Protect Your Website This Cyber Monday
5 Things You Should Be Doing to Protect Your Website This Cyber Monday
By: Dave Lewis, Global Security Advocate, Akamai
Every year we return to talk about security steps to better protect the individual shoppers. We discuss the myriad of confidence scams that crop up during Black Friday and Cyber Monday to ensnare shoppers. We examine things that people can do to stay safe online. But, what we often neglect to talk about is how the retailers can better protect themselves.
Thinking about this coming shopping season, my imagination began to run and I couldn’t help but think about the wall from Game of Thrones. The Brothers of the Night’s Watch try in vain to hold back the massive force aligned against them only to see their battlements fall.

There are 5 things that the Night’s Watch could have done to better protect against the teeming mass that was at their doorstep.
First and foremost was scale. The ability to scale your website against a burst in traffic is a key. In the case of the Night’s Watch, they had controls in place that were dated. Let’s be honest, they had an appliance in place that, while seeming formidable, wasn’t able to scale under modern traffic loads. Your online retail presence needs to be able to weather the rush of shoppers which can have the same effect as a denial of service attack if you’re not prepared.
The second is ensure your systems are patched to current controls, or have compensating controls in place. Keeping the hygiene of your systems current is a self-hammering nail. You don’t want to make the attacker’s job any easier.
As a defender, the third point is salient. Remain vigilant. The attacker will continue to test your defenses until they can find a way to breach your systems. Keep constant watch for account take over attempts to ensure your shoppers’ safety. Gathering intelligence on your adversary is an important exercise to make certain that you are prepared for threats. Whether those threats are from massive numbers of shoppers stampeding to your website sale or from a large ill-tempered dragon.
Fourth point is encrypt your customer information. There is no such thing as “responsible encryption.” Protect your customer data in a way that can’t be compromised by a third party. You might be putting your business at risk if you are leaving customer data exposed. While sending messages via raven might work for communications in the seven kingdoms, it’s really ill advised to leave your customer data unencrypted. Especially when you consider that GDPR is looming on the horizon.
Last but certainly not least, have your incident plan ready and tested. You need to establish that you’ll have staff ready to respond in the event of an outage or data breach. Your company will want to have internal and external communications prepared to go to be certain that you manage the narrative for all parties in case something goes awry. Hopefully, you will never need to put an incident response plan into effect but, an ounce of prevention is paramount.
Buckle in and get ready. Winter is…er…shoppers are coming!
# # #
Read More
Spotlight on R-CISC Member: Flashpoint: Shoplifting: Defeating Theft Detection and Prevention Technology

Spotlight on R-CISC Member: Flashpoint: Shoplifting: Defeating Theft Detection and Prevention Technology


Typically considered one of the most accessible and in many cases least-sophisticated types of crime, shoplifting persists as an undeniably damaging affliction across the retail sector. In fact, the National Retail Security Survey reported that loss of inventory cost U.S. retailers an estimated $49 billion USD in 2016, with 70 percent of the loss caused by employee theft and shoplifting.

The survey also indicated that in response, retailers are investing more in technological deterrents like live, customer-visible closed-circuit television (CCTV) systems and point-of-sale (POS) data mining software rather than in Loss Prevention (LP) personnel. Indeed, retailers’ investments in staffing for LP departments remained generally flat in 2016.

Motivated to help our retail sector customers bolster defenses, evaluate deterrents, and ultimately combat this threat, Flashpoint embarked on a research project to identify the tools and tactics contributing to the widespread proliferation of shoplifting.

Shoplifting Tools

During the course of this research, we observed various websites hosting advertisements for shoplifting tools, some of which also have legal, legitimate uses. Many of the tools that enable retailers to remove anti-theft devices also serve the same — though malicious — purpose for shoplifters.

While tools such as “sensormatic jammers” and “RF-impulse shielding fabric” are strictly used for theft, “hook detachers” and various magnetic keys can all be used to unlock certain security tags and wraps — regardless of whether the user is a retail employee or shoplifter. While tools used by retailers to legitimately remove anti-theft devices were listed for sale on numerous Deep & Dark Web forums, the same tools were also found easily on several well-known surface web eCommerce sites.

Our research also suggests that some shoplifting tools are more popular than others. Two in particular were discussed across multiple forums and appear to be among the most common shoplifting tools in use today: the “detacher hook” and the “S3 key.”

A detacher hook is a sickle-shaped tool typically made of stainless steel or aluminum. Law-abiding retail employees might recognize a detacher hook as a component of the Sensormatic SuperTag Hand-held Detacher. Shoplifters, however, typically use the detacher hook by itself. In addition to the ease-of-use provided by the tool’s small size, removing it from the Sensormatic SuperTag Hand-held Detacher helps shoplifters evade detection. Indeed, many handheld devices contain internal RFID tags designed to set off electronic article surveillance (EAS) sensors at store entrances.

An S3 Key is a magnetic device used to unlock Checkpoint Systems’s Alpha anti-theft devices such as “spider wrap,” “keepers,” “Bottle Caps,” hard tags, and “Cableloks.” While instructions to build homemade

S3 Key devices are readily accessible to shoplifters across the Internet, official Alpha S3 Keys are also easily obtained on various well-known surface web eCommerce sites. In addition, numerous Deep & Dark Web forums and marketplaces are laden with dozens of instructional videos and forum posts detailing how each anti-theft device works and, more importantly, how shoplifters can defeat it.


Shoplifting Tactics

As expected, our research also revealed that information sharing and collaboration on Deep & Dark Web forums continues to enable shoplifters to learn from one another, advance their skills, and develop new tactics for bypassing retailers’ anti-theft controls.

In particular, members of certain forums frequently discussed specific retailers’ security measures and response techniques. We monitored multiple forum threads in which posters “decoded” various retailers’ in-store public address announcements, such as those used to alert employees of suspected shoplifting. In another post, we observed an actor explaining how to access a large retailer’s public service announcement system – a tactic that could be used to distract and deploy security personnel to one section of the store while the shoplifter targets another.

Throughout our research, we observed numerous posts in the Deep & Dark Web related to the effects of uniformed security or LP personnel on shoplifters’ operations. The presence of LP personnel near checkout areas appears to be a significant deterrent for perpetrators of in-store stolen card purchases. In fact, some posters on the now-defunct AlphaBay Market Forum emphasized the dangers by describing incidents in which LP personnel detained the perpetrators until they relinquished the stolen credit card or paid for the merchandise in cash.

In the same AlphaBay Market Forum thread, another poster described one retailer’s POS system as having the ability to “distinguish between a real, written only once /original to a card that has been re-written, and that sh** can show up on cashiers POS.”

We also observed numerous posts on several forum threads authored by alleged “former cashiers.” By providing insight into their former employers’ LP schedules and typical in-store headcount, the authors of these posts aimed to support fellow miscreants’ attempts to make fraudulent in-store purchases and/or shoplift items.

In addition to discussing in-store carding, several forums “reviewed” retailers’ return policies and the presence of LP personnel at the returns desk, which appears to be a significant deterrent to return fraud.


Assessing Deterrents

Perhaps the most valuable outcome of our research stems from the critical insight we gained into one of the simplest yet most effective shoplifting deterrents: human interaction. Despite the 2016 National Retail Security Survey’s results indicating that retailers are opting to invest more in technological deterrents than in personnel, our research suggests that — especially when it comes to less-sophisticated shoplifters — customer-facing personnel may be a more effective deterrent. While shoplifters and cybercriminals will always seek new tools and develop new tactics to evade anti-theft technologies, these tools and tactics can only be so effective at circumventing uniformed security and LP personnel.

Our research also suggests that stringent return policies — such as those requiring the scanning of government-issued identification cards and receipts for cash refunds, or those limiting the cash-back amounts for non-receipt returns — can significantly constrain return fraud. Additionally, customer service employees should appear as “hard targets,” by physically inspecting items returned in opened packaging to ensure that items inside match the receipt and were not replaced with old or used items.

Above all else, it’s crucial for retailers to recognize that despite the substantial damages inflicted by shoplifters, simple security measures and the physical presence of effective personnel can help reduce these crimes.

To learn how retailers are leveraging Flashpoint’s Business Risk Intelligence to combat shoplifting and other threats, download their use cases
here [LINK –]

Read the full post on the Flashpoint site:

Source: Flashpoint [LINK –]

Read More
R-CISC In The News: 6 Steps For Sharing Threat Intelligence

Dark Reading: 6 Steps For Sharing Threat Intelligence 

Threat information-sharing first started getting more attention and interest in the cybersecurity industry after the 9/11 terror attacks.

So you’d think by now it would be a routine process, especially with the volume of high-profile data breaches in the past few years. But while there has been much progress between the federal government and the vertical flavors of the Information Sharing Analysis Centers (ISACs), threat information-sharing still has been put on the back burner by many organizations.

“What’s happened is that CISOs are so busy today that information sharing has become the kind of thing that they know will make them a better CISO, or at least a better person, but they put it off,” says Paul Kurtz, founder and CEO of TruStar Technology. “They don’t always recognize the benefits of information sharing.”

Kurtz says the key principles of threat information-sharing are:

1. Information sharing is not altruistic. The objective of data exchange is to identify problems more quickly and mitigate attacks faster. When an industry vertical shares common threat data and other companies in the field don’t have to reinvent the wheel, everyone benefits.

2. Information sharing is also not about breach notification. Organizations need to share event data early in the security cycle – before an event happens – such as information about suspicious activity.

3.  Sharing data with other organizations about exploits and vulnerabilities is legal so long as you don’t share personally identifiable information. For example, a victim’s email address is usually not shared. Typical types of information that are fair game include suspicious URLs, hash tags, and IP addresses. The   Cybersecurity Information Sharing Act of 2015 provides more detail here.

4.  The sharing system must be easy to use. Make sure the system is user-friendly and can easily integrate with your established workflow within a SOC, a hunting team, or a fraud investigation unit.

Neal Dennis, a senior ISAC analyst at the Retail Cyber Intelligence Sharing Center (R-CISC), says companies that don’t know where to start or don’t have deep pockets for security tools should contact their industry ISAC. “A lot of our members are smaller retail companies that don’t have the resources of a Target or Home Depot, so it makes sense for them to seek of the retail ISAC for threat information and guidance on potential tools to deploy,” Dennis says.

Read the full article and tips on how to get started with sharing threat intelligence at Dark Reading

Source: Dark Reading
Read More
This #CyberAware month, Two R-CISC Members Offer Space for USSS/FBI BEC Workshops

In the true spirit of information sharing and in support of the National Cyber Security Awareness Month, two R-CISC members, JOANN Stores and Starbucks, offered their space and, more importantly, valuable staff time in support of the US Secret Service’s (USSS) and Federal Bureau of Investigation (FBI) educational effort on Business Email Compromise (BEC) the broad business community. BEC has become a significant threat to U.S. businesses and individuals. Since October 2013, the FBI has identified victims from 131 countries and a global monetary exposure of more than $5 billion as a result of BEC fraud.

In the two days combined, we educated more than 200 businesses local to Seattle and Akron about the threats and to offer some security measures to help prevent BEC. Many of the solutions were ones already familiar to R-CISC members: authenticate the request outside of email as rules may have been compromised and establish processes that require multiple approvals for wiring requests. The USSS and FBI also stressed that if BEC occurs, the first step is to call the bank to stop the transfer. The second is to reach out to local USSS and FBI offices to report the incident or report it via They urged reporting failed BEC attempts as well, as information from these can be tied to broader criminal investigations.

The BEC Workshops were coordinated through the National Council of ISACs and were sponsored by Symantec.

I would like to thank the teams at JOANN Stores and Starbucks for their support of this effort and a big shout out to Starbucks for providing all attendees with some delicious coffee.

For more info or to join in at another workshop in another city, visit:


Read More