August Cyber Intelligence Summary

Advancements in technologies like artificial intelligence (AI) make it easier and faster to delight customers, from item discovery through to fulfillment and delivery. Similarly, associates realize the benefits of AI, automating away toil to focus on tasks that people do best, such as connecting with customers and members to ensure the best service. While both retailers and their customers are increasingly online and tech savvy, unfortunately, so are threat actors.

Walmart’s Infosec Team is responsible for protecting business-level, customer-level and associate-level data from bad-faith actors. This cyber intelligence (CI) summary serves as a collection of trends the team has recently observed across the threat landscape, as well as how they apply to the retail industry and what consumers should know to remain vigilant and safe.

The August 2024 edition of the Walmart Cyber Intelligence Trends Summary found the most prevalent topics of discussion and areas of exploitation as of late include:

• Artificial intelligence
• Phishing innovation
• Supply chain concerns

Read on to learn more about what’s trending in the threat landscape and how we can all improve our cybersecurity posture to save money and live better.

1)  The Risk and Reward of AI in Cybersecurity

Overview: While awareness and familiarity around AI have grown significantly over the past decade, new advancements have unlocked new capabilities, while also posing new risks. The proliferation of generative AI (GenAI), for example, has introduced a new learning curve just as many technologists were becoming accustomed to protecting companies from “traditional” AI threats.

We’ve seen AI implemented in education, healthcare, retail, entertainment and more. Cybersecurity is no exception, as AI continues to consistently be discussed across forum postings and service advertisements within underground cybercriminal communities, with actors promoting a range of topics such as video deep fakes. Additionally, some actors attempt to improve the scale or tasks within their criminal operations with the use of AI in more of a supporting role, such as the ability to scrape and analyze information about newly discovered software/product vulnerabilities (CVEs). This affords actors greater flexibility in how they can potentially generate their own exploits regardless of their technical proficiency. Walmart’s CI team is seeing larger conversations across the industry around the debate between convenience and security. Recent AI announcements have touted convenience gains for consumers (e.g., quick recall of previously accessed webpages or documents), but have fallen under scrutiny in terms of the security risks they pose. As new technologies and features become available, the CI team anticipates the continued debate between convenience and security.

Nexus to Retail: Though these technologies can greatly improve convenience and experience for online shoppers, businesses must ensure all AI solutions are enterprise-ready, and that they are aware of and have proactively planned to mitigate the risks associated with such technologies. Retailers must also get ahead of the customer questions and concerns, such as proactively communicating where AI is used and their strategies for securing the technology.

Retailers and their customers should increasingly be wary of the threat landscape as it relates to AI as reports of underground services offering a variety of AI-related features continue to emerge, including:

• The capability to generate fake news articles (e.g., misinformation articles targeting retailer initiatives or fake promotions)
• The capability of impersonating executives, public figures or celebrities
• The capability to generate readymade phishing templates to target shoppers

What Consumers Should Know: Consumers are more likely to encounter these schemes when threat actors create malicious advertisements or messaging that promotes fictitious features or promotions with the purpose of harvesting credential information or infecting them with a form of malware. To remain vigilant, consumers are advised to:

• Verify URL authenticity.
  • iOS users: Look for a closed lock icon at beginning of a URL in the Safari browser.
  • Other devices: Copy-paste address into Google's Transparency Report search bar: https://transparencyreport.google.com/safe-browsing/.
• Contact the organization directly to confirm legitimacy.
• Cross-check promotions offered by chatbots with the official website or verified customer support channels.
• Be aware of spelling and grammar. While sophisticated AI often avoids such mistakes, any discrepancies can be a clue to potential fraud.

2) There’s Plenty of (New) Phish in the Sea

Overview: Threat actors continue to innovate with new phishing methods as phishing can be a cost-effective and high-ROI fraud scheme. Particularly, the Walmart CI has seen:

• Actors are continuing to offer advanced phishing kits that proxy traffic between a victim and a legitimate website to steal session tokens and circumvent multi-factor authentication to capture usernames and passwords while appearing completely legitimate to unsuspecting victims. For example, the CI team noticed several retail companies seeing legitimate but compromised systems from educational institutions used to email their corporate employees. The actors attempted to ensure success by having the URLs embedded within the emails associated with legitimate URL protection services. The degree of initial success the actors had in ensuring emails were successfully delivered to targets was a result of the URLs embedded within the emails being masked via a URL protection service (e.g., url[.]emailprotection[.]link) and via bot denial services. Users would be met with what appeared as a traditional enterprise login page were they to interact with the link and attempt to enter their information.
• Threat actors attempting to social engineer company employees into downloading malware through a chat window used for customer support. The tactics employed centered on the use of domains configured to redirect to a legitimate content delivery network (CDN) while engaging targets through the live chat window.
• Wide availability of tutorials or guides on these phishing services assists in lowering the barrier for cybercriminals who are not as technically proficient. These types of phishing-as-a-service (PhaaS) programs are offered for monthly subscriptions, often leveraging compromised corporate accounts that are readily available to use (or purchase) in bulk. Some providers offer dozens of phishing templates (complete with images from legitimate corporations) and support features to better conceal them from security professionals.

Nexus to Retail: Shoppers and retailers need to remain up-to-date and vigilant on new phishing schemes and methods. Not all phishing events result in the immediate deployment of malware and shoppers should be wary of emails but also websites they are prompted to visit that contain what appear to be authentic retail imagery. Even if the purpose of the attack wasn’t just to deploy malware, actors commonly set up pages like this to act as a proxy for the purpose of harvesting their credential information often associated with online shopping.

What Consumers Should Know: To protect against phishing fraud, consumers can:

• Use QR code-scanning apps that incorporate security features such as URL filtering to check links against a database of known malicious sites before accessing them. These apps help detect malicious QR codes and prevent recipients from downloading malware or being redirected to phishing websites.
• Avoid becoming victims of the attacks by reviewing the URL directly. Users are also encouraged to access important pages, such as their webmail, by typing the URL directly into the web browser instead of relying upon search engines.

3) Third-Party Supply Chains Are Risky Business

Overview: As reports continue to emerge of the growing threat of the availability of stolen credential information within the criminal underground, Walmart CI has been closely monitoring reports of customers of a cloud infrastructure provider contending with intrusions off the back of a suspected vulnerability.

As the investigation has continued, the cloud infrastructure provider has stated that incident response work carried out has so far not turned up evidence of a vulnerability or misconfiguration in its platform that led to attacks against its customers. The extent to which this event was the result of supply chain vulnerabilities continues to be discussed, as open-source reporting later claimed that a prominent threat actor, ShinyHunters, stated to the news outlet in an interview that some accounts were compromised using the credentials of an employee at a company within the organization’s supply chain. An employee at this company was allegedly targeted in a spear-phishing attack that resulted in an infostealer infection. That infostealer allowed for the installation of a remote access trojan, which then allowed access to the whole computer, including credentials for the company.

Though the investigation and number of potential victims appear to be under review, CI continues to observe large volumes of credentials stolen by infostealers within underground sources on a regular basis. Buying stolen credentials in bulk or those associated with corporate employees who may have administrative access to particular systems is one of the easiest ways other threat actors gain access to organizations.

Nexus to Retail: Organizations across every industry may be aware of their own supply chain risks, but the supply chains of third parties also need to be accounted for. Retailers are not immune from this, as many have large-scale and complex supply chains. In the example of above, a threat actor attributed to multiple suspected intrusions of this organization was linked to new reports surrounding a luxury retailer disclosing a data breach in June. The statement that infostealer compromises occurred on contractor systems that involved personal activities exemplifies the role that employees play in safeguard their company’s respective supply chains, regardless of industry, even outside of normal business hours. Threat actors knowingly target personal systems for the hope of retrieving sensitive or proprietary information or credentials that may be available through these systems that have fewer corporate safeguards in place.