Generative AI Emerges as Top Cybersecurity Concern for Retailers: Report
Trustwave’s report indicates generative AI, bot activity and the proliferation of third-party endpoints as top threats to the retail sector.
Cybersecurity and managed security services provider Trustwave, has released a comprehensive report titled “2023 Retail Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies,” mentioning Generative AI including AI and LLM, bot activity and the proliferation of third-party endpoints as three foremost threats posing risks to the retail sector.
As per the report, on average retailers lose $2.9 million to data breaches and consumers lose $8.8 billion yearly to scams.
It further sheds light on the cybersecurity risks facing retailers, along with practical insights and mitigations to strengthen defences. Despite security warnings every holiday shopping season, retail scammers’ tricks are still working and evolving in sophistication.
“Traditional methods such as phishing, email-borne malware, exploiting known and zero-day vulnerabilities, and compromising third-party vendors continue to pose significant threats,” Trustwave SpiderLabs senior security research manager, Karl Siger told Metaverse Post. “In this report, we have seen new novel types of phishing techniques, new exploits, new malware and even new technologies such as the emergence of generative AI for social engineering attacks.”
The report further found that 70% of malicious emails in retail customers contained HTML attachments, with 30% of these being obfuscated. LLMs like WormGPT and FraudGPT are also making email phishing more personalized.
Why does this matter? Post covid, there has been a rapid shift towards e-commerce, and this has made retailers more vulnerable to cyberattacks.
E-commerce retailers store a large amount of sensitive customer data, such as credit card numbers and shipping addresses. Moreover, retailers often rely heavily on third-party vendors for services such as web hosting and payment processing. These third-party vendors can be a security risk if they are not properly vetted and monitored.
“Our team has observed a significant increase in malicious bot traffic during the holiday shopping season which poses a threat to online retailers. These bots engage in various automated threats, including credential stuffing, account takeover, gift card cracking, web scraping, API scraping, fake account creation, and inventory scalping,” Trustwave’s Karl Siger explained.
LockBit Takes Lead as Pivotal Security Threat
For reported retail incidents, compromised credential access accounts for 30% of all cyber tactics. Automated bots encompass a diverse range of malicious activities, including scalping, and freebie exploitation.
For example, Grinchbots and Freebie Bots, acquired products worth $500K from a single retailer on Black Friday/Cyber Monday weekend last year, and are expected to buy up all available stock in hard-to-find holiday items this year.
“LockBit is popular for a variety of reasons, primarily because the ease of use for criminals with low technical skills makes it the easiest RaaS service out. It is also constantly updated with new features and exploits. To a certain extent, its popularity feeds itself, since once a piece of malware or malicious service develops a reputation of stability and maturity, it attracts more users,” said Trustwave SpiderLabs Karl Siger.
“The advice we recommend for LockBit is the same as for all ransomware risks.”
“Make sure you keep good backups that are segmented away from your valuable systems and data. Ransomware is most often deployed via phishing emails, so including phishing prevention in your ongoing security awareness training may prevent the malware from being installed in the first place,” Siger told Metaverse Post.
The United States is the most targeted geography for most industry verticals due to two primary factors: U.S. corporations tend to have the most money to steal and the U.S. has a very large and stable Internet presence with very desirable computer resources and bandwidth.
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.