Close this search box.

How Criminals Plan to Exploit Your Customers’ Stolen Data This Holiday Season

Blog Image: Black Friday

The holiday season is upon us, and for e-commerce businesses, it’s not so much the cheer that’s escalating — it’s the risk of cyberattacks.

As shoppers jump into online shopping, digital Grinches armed with stolen data and sophisticated techniques are gearing up to exploit the upcoming holiday rush.

For us in the cybersecurity world, ‘tis the season to be vigilant.

And from what we’re seeing in the criminal underground, cybercriminals and fraudsters are already initiating illicit activities to exploit any vulnerabilities or weaknesses they can find in merchants’ security measures before the rush begins.

To prepare your e-commerce cybersecurity posture for the holidays, dig in with us as we unpack how criminals are stocking up with stolen credentials and credit cards and fine-tuning their methods, ready to put it all to use this peak season.

Peak season for shopping & fraud: A look at this year’s risk landscape

This year is poised to be the busiest yet, with e-commerce transactions projected to surge by a significant 14% during the 2023 holiday season (translating to an estimated $957.3 to $966.6 billion in spending).

However, where there’s growth, there’s a risk – fraud attempts are expected to increase, with a projected 3% of all transactions facing potential threats, and losses predicted to surpass $48 billion. For those of us looking at the calendar, the period between December 11 and December 16 is predicted to be the timeframe when most online criminals set in motion their schemes for holiday fraud.

What’s fueling fraud this holiday season?

Simply put, your customers’ stolen data is the primary fuel for fraud.

When customers appear in third-party breaches or fall victim to malware infections, their personal and financial data end up in the hands of criminals, circulating in criminal communities within the dark web, where other criminals can purchase it and use it for fraudulent activities.

At SpyCloud, our researchers are observing sales of “fullz” on the dark web, complete with credentials, personally identifiable information (PII), and payment details, for as little as $2.50, or over $50 when the accounts undergo vetting with confirmed account balances. As the holiday season approaches, criminal activity on the dark web intensifies, with cyber adversaries even offering promotions and “Black Friday Deals,” mirroring the strategies of e-commerce organizations.

The staggering amount of stolen data in circulation is underscored by last year’s 1,802 publicly reported data breaches that affected 422.1 million individuals. This, paired with the increasing sophistication of criminal tactics, has security and fraud teams facing the monumental challenge of distinguishing between legitimate shoppers and potential criminals interacting with their sites.

What security & fraud teams should be on the lookout for

As your teams walk the tightrope of taking fraud prevention steps for at-risk accounts while also ensuring a frictionless experience for legitimate users, it’s critical to find a balance. Here’s what to look for when building and fortifying your account security and fraud prevention strategy.  

Traditional account takeover

Traditional account takeover (ATO) occurs when a criminal gains access to a customer’s credentials either through a third-party breach or a malware infection, which they can then use to log in to a user’s account.

For high-value or targeted attacks, criminals manually test credential combinations, or try very similar variations to get into the account. They may also take a “low and slow” approach, intentionally pacing login attempts to stay under the radar and avoid setting off alarms.

Aside from the manual attacks, criminals often and effectively deploy targeted credential stuffing attacks using automated bots to test large lists of stolen or leaked username and password combinations across multiple websites. They often use these bots to mimic the behavior of legitimate users, making it harder to detect the ATO. Seon recently reported that over Christmas, fraudulent bot activity increased by 255.36%. Once in the account, newly stolen payment information is put to use for CNP fraud, which is expected to make up 74% of fraud by 2024.

With ATO attacks increasing (354% year-over-year in 2023), it is more crucial than ever for security teams to have insights into their customer’s underground risk. Knowing if a customer was exposed, what data was exposed, and how recently they were exposed can help your team bolster account security to keep criminals out of at-risk accounts.

SpyCloud researchers have identified an increase in poor cyber hygiene over the years, with last year’s password reuse rates for consumers coming in at 74%, which is a large contributor to the spike in ATOs.

Next-generation ATO: Session hijacking

Security teams are well-acquainted with the conventional ATO method involving stolen credentials, but a new method called session hijacking poses a significant challenge due to its stealthy nature.

Cybercriminals have gotten really good at getting users to click on malicious links or downloads that unknowingly infect their devices with infostealer malware. This sophisticated malware extracts a trove of data, including personally identifiable information (PII), credentials, and the complete browser fingerprint, often automatically deleting itself from the user’s device before antivirus software can detect it or intervene.

One critical component of what is packaged up from the user’s device is the session cookies. When a user opts to “Remember me” for extended login sessions, a session cookie is issued. As long as this cookie has not expired, users never have to log in to their account with credentials.

Criminals capitalize on these session cookies by importing them into anti-detection tools alongside the user’s device details, such as make and model, IP address, screen resolution,  browser version, and more. This enables them to perfectly emulate the user’s device and take over – or hijack – the session. Since the criminal never undergoes a traditional login process, multi-factor authentication (MFA) prompts are circumvented, bypassing any form of step-up authentication.

SpyCloud researchers have observed various locations and pricing options for bad actors to purchase infostealer malware data on the dark web.

To prevent session hijacking, businesses need to be able to identify malware-infected customers and pinpoint which active session cookies could be leveraged in a session hijacking attack that could compromise a customer’s account. Malware-infected users pose the highest risk of unattributable fraud, and their stolen cookies are among the most sought-after “credentials” in the criminal underground. SpyCloud researchers recaptured 22 billion stolen cookie records from the dark web in 2022 alone. Fast action to invalidate stolen cookies is crucial to locking criminals out of accounts.

Fraud tied to new accounts

New accounts created during peak season bring on a different set of challenges for security  teams. Cybercriminals often use exposed or fake identities in combination with stolen payment information for “card-not present” (CNP) fraud, benefitting from the lack of account behavior and transaction history to evade detection and stay under the radar.

Data from ACI covering January to September 2023 reveals a notable trend: new customer accounts witnessed a 5% increase in fraudulent activities compared to existing ones, with expectations of a further 5% growth during this holiday season. This statistical insight underscores the vulnerability of new accounts and emphasizes the need to adopt proactive measures in scrutinizing and securing new accounts during the heightened risk period.

At account creation, security teams can benefit from checking the new user’s email for prior dark web exposures to help determine if a criminal is using stolen PII and payment information to create an account on behalf of a victim, or even to see if the email has no exposures but was recently created by a criminal to use for fraud. A lack of account history doesn’t necessarily mean you can’t gain insight into related risks.

BNPL (Buy now, pay later)

As customers search for a more budget-friendly approach to holiday shopping amidst a rise in inflation, “Buy now, pay later” (BNPL) transactions have become increasingly popular and appealing, predicted to triple in volume, especially for items priced above $150. The rising popularity of BNPL is not without its challenges, as fraud attempts for these transactions increased by nearly 6% in Q3 2023 compared to the previous year, with an anticipated 2% spike during the holiday season.

A large contributor to BNPL fraud stems from criminals engaging in ATO schemes, where they use stolen credentials to log in to a customer’s account, as well as stolen payment information to make high-value purchases on the victim’s behalf, without any intention of paying – resulting in significant financial losses for merchants. Criminals may change the delivery address for purchases made through BNPL, making it difficult for merchants to verify the legitimacy of the transaction. This can lead to goods being delivered to the wrong address, making recovery of stolen merchandise challenging.

BOPIS (Buy Online, Pick Up In Store)

For merchants with both online and brick-and-mortar stores, “buy online, pick up in-store” (BOPIS) enables customers to order products online and pick them up from a physical location. Consumers love it because they avoid shipping fees and delays, since the goods are often available within an hour of making an order. Merchants love it because it bolsters sales (to the tune of $95.9 billion in revenue in 2022), negates shipping logistics, and helps move inventory out of stores.

This “click and collect” method can come with a cost, though. Criminals have learned how to scam the BOPIS process, largely because retailers depend on employees to confirm the recipient’s identity, instead of using other technology that is engrained in the e-commerce process to detect fraud. That leaves the retailer vulnerable to fraudsters who either take over a legitimate customer’s account or create a new fake account.

In the case of account takeover, the criminal uses stolen credentials to log in as the customer to place an order. Because the order is being picked up, they don’t have to worry about providing a shipping address or stealing the delivery off a porch. They simply place the order, drive to the store and pick it up. With touchless pickup now the standard practice, a signature for most products is not required, and if government ID is required it is not examined as closely as it may previously have been in the past.

What can your company do to prepare for the holiday season?

Criminals don’t wait for Black Friday or Cyber Monday to strike. They’ve already started putting plans in motion, scanning for weaker security measures and exploiting the fact that security teams are strapped, will be drowning in manual reviews, or maybe even enjoying some well-deserved time off.

It’s paramount to adapt your security strategies to be as proactive as possible in preparation for a potential surge in fraudulent activities. In order to more confidently prevent ATO and determine if a user interacting with your site is a customer or criminal, use what they know about your customers against them.

Incorporate darknet insights into your customer account security and fraud prevention workflows so you can identify recently compromised or malware-infected customers whose exposed credentials, cookies, PII, and payment info puts them at higher risk of ATO and fraud.

Using these risk signals, you can generate friction-free customer journeys for low-risk users, while also acting quickly to remediate high-risk accounts by forcing password resets, invalidating active session cookies, or simply flagging accounts for increased security.

Identify your customers’ darknet exposures and stop high-risk attacks with SpyCloud this holiday season.

Keep reading

Here we break down two phases of the MITRE ATT&CK Framework – Reconnaissance and Resource Development – and why it’s critical to account for stolen data in your detection and attack prevention strategies.
As threat actors pivot to next-gen tactics, traditional threat intelligence alone isn’t sufficient for safeguarding your critical assets and data.
Table of Contents
Check your darknet exposure

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

Meet SpyCloud at Black Hat — Booth #4424!   Book a meeting →

Close this search box.