New yr, similar ways

In the US alone, the retail sector accounts for trillions of {dollars} in transactions annually—and financially-motivated risk actors are desirous to get their lower. They leverage weaknesses in shops’ refund and return insurance policies, knowledge breaches, and cyber extortion schemes, amongst different ways, to efficiently execute an assault. 

With a lot at stake for retailers—in addition to their companions and the customers they serve—it’s important for safety and fraud groups to mitigate exploitable vulnerabilities, hold risk actors out, cut back danger, and in the end, forestall loss. 

The proper intelligence will help retailers know what to anticipate and take the mandatory steps to shut danger apertures and cease assaults, from ransomware to fraud. The excellent news is that though assaults elevated in 2022, the ways, strategies, and procedures (TTPs) that risk actors used are, kind of, remaining the identical. In different phrases, cyber risk actors usually are not essentially creating new strategies of assault; relatively, they’re consistently adapting tried-and-true TTPs as a way to bypass new safety measures or expertise. 

Here’s how threats to the retail sector performed out in 2022.

Refund fraud

There are loads of methods for risk actors to reap the benefits of retailers’ return insurance policies, customer support representatives, and third-party associates, together with fee processors and transport firms, as a way to obtain fraudulent refunds for items. Over the previous yr, the refund fraud schemes that Flashpoint has noticed depend on iterations of already-popular refund fraud strategies, tailoring them to be simpler towards organizations’ safety measures.

Mentions of varied retail fraud strategies on boards in 2022

Compared to the 2021 yr finish report on the retail sector, in 2022 there have been practically double the variety of mentions of in style refund fraud ways inside Flashpoint’s discussion board collections, indicating the rising recognition of fraudulent refund tutorials and providers. 

According to a 2021 report by the National Retail Federation (NRF), of the US$761 billion in returned items over the whole lot of 2021, roughly 10 p.c ($78.4 billion) have been deemed fraudulent. It additionally famous that almost all of returned objects, fraudulent and bonafide, are from on-line orders. In 2020, the NRF estimated that US$428 billion price of merchandise was returned, and roughly 5.9 p.c ($25.3 billion) was deemed fraudulent. Although statistics usually are not but accessible for 2022, based mostly on this pattern, it’s possible that the amount and total financial affect of fraudulent refunds will proceed to develop throughout the United States.

The faux monitoring ID (FTID) methodology

As in 2021, the “fake tracking ID” (FTID) methodology was one of the mentioned and marketed refund strategies noticed in 2022. Actors use the FTID methodology to defraud firms that require {that a} defective or incorrect merchandise be returned earlier than sending a alternative or refund, interfering with the return label monitoring ID numbers. 

Threat actors might obfuscate personally identifiable data (PII) on the return label, like identify and handle, in order that solely the barcode is seen. They connect the tampered-with label to a field that matches the approximate weight of the merchandise in query however doesn’t truly embody the merchandise. In one model of a profitable FTID return, the warehouse would scan the barcode upon the merchandise’s return, notice the same weight of the cargo, and settle for it as a authentic return. In one other model, the risk actor would change the return handle in order that the field is scanned by mail carriers or shippers however is rarely truly returned to the warehouse.


This yr, Flashpoint recognized one other iteration of the FTID methodology known as the “not reroute FTID method” (NR-FTID). The majority of NR-FTID discussions happened on Telegram, with the earliest point out of this methodology rising inside Flashpoint collections in February 2022. This methodology allegedly fixes a difficulty wherein packages despatched below a faux transport label don’t compromise the refund by by accident rerouting.

Gift card fraud

Gift card fraud is a typical entry level for risk actors to commit different forms of monetary fraud. Often, reward playing cards are bought with stolen monetary data or bought by compromised buyer accounts the place monetary data is saved


Year up to now, there have been 53 retail-related ransomware leaks inside Flashpoint collections. In the identical time interval in 2021, there have been 51 noticed retail-related leaks. 

Data is leaked if the sufferer refused to pay the demanded ransom or didn’t not negotiate a ransom by a sure predetermined time. Since victims are usually spared from being outed on leak websites in the event that they adjust to negotiation and ransom calls for, it’s extremely possible {that a} a lot bigger variety of retailers was impacted and focused by ransomware gangs this yr however weren’t publicly revealed. 

The United States is constantly the highest focused nation by ransomware gangs looking for to use retailers, which can be attributed to the commonly excessive variety of on-line retailers throughout the nation and the worth of the delicate data saved by these retailers.

The high ransomware gangs focusing on the retail sector in 2022 (January by November), based mostly on posts on their leak websites.

In September 2022, Sophos launched its “State of Ransomware in Retail 2022” report, which was performed in early 2022 and surveyed 5,600 IT professionals, 422 of which work instantly inside the retail sector. Respondents have been requested to replicate on cybersecurity incidents from the earlier yr when answering the survey questions. The report discovered that 77 p.c of responding retail entities skilled a ransomware assault in 2021, which is up from 44 p.c in 2020. The cross-sector common of entities experiencing a ransomware assault in 2021 was 66 p.c. 

While extortion-only assaults towards retailers have been down this yr—from 12 p.c to three p.c—Sophos famous that this extra possible signifies a change in ways, like coupling extortion with ransomware, relatively than a real departure from one of these assault. In 99 p.c of instances the place knowledge was encrypted, organizations have been in a position to get better not less than a few of that knowledge.

Advertisements of preliminary entry

The exploitation of content material administration programs (CMS) and e-commerce platforms posed an awesome risk to retailers in 2022. On pattern with earlier years, Flashpoint noticed the vast majority of such ads on top-tier Russian hacking discussion board Exploit, with a smaller quantity on Russian top-tier discussion board XSS. 

This yr, analysts noticed a excessive curiosity in promoting entry to Magento and WooCommerce sources.

Initial entry auctions for common on-line retailers, retailers utilizing Magento sources, and retailers utilizing WordPress sources since January 2022.

Based on knowledge collected from VulnDB, yr up to now, there have been fourteen newly disclosed CVEs in Magento which have a mean danger rating of 6.71. According to analysis printed by Sansec in September 2022, risk actors have generally exploited a vulnerability which permits actors to execute arbitrary code. Actors have leveraged not less than three totally different assaults to use this vulnerability, all of which outcome within the injection of a distant entry trojan into weak endpoints. It seems that this exercise has been attributed to a number of “Magecart” teams.

Compared to different e-commerce platforms, Magento and WordPress/WooCommerce will possible persist as in style targets amongst financially motivated risk actors. This is partially because of the quantity of on-line retailers that leverage these sources: It is estimated that 4 4 million web sites use WooCommerce and 170,000 websites use Magento. Due to Magento’s disproportionately excessive charge of CVEs, actors will possible proceed to focus on the platform.

Data breaches

The retail sector is a precedence goal for knowledge breaches, based mostly on the perceived quantity of monetary knowledge saved inside retailers’ programs. Between January and November, based on Cyber Risk Analytics, the retail sector skilled 221 breaches, leading to over 279 million compromised information. The majority of those breaches occurred on account of common hacking and skimming. 

Top ten breach sorts impacting the retail sector between January and November 2022.

The values will possible improve within the coming months and years, as breach knowledge will most actually be retroactively found for this timeframe.

Keep your belongings, knowledge, personnel, and prospects safe with Flashpoint

Flashpoint’s suite of actionable intelligence options permits organizations to proactively determine and mitigate cyber and bodily danger that might imperil folks, locations, and belongings. To unlock the ability of nice risk intelligence, get began with a free Flashpoint trial.


Please enter your comment!
Please enter your name here