White Paper: Hacker Attacks Targeting Retailers Up 43%

Dell SecureWorks®, a leading provider of information security services, reported that hacker attacks targeting its retail customers increased 43 percent between the last nine months of 2010 and the first nine months of 2011. From January through September 2011, Dell SecureWorks blocked an average of 91,500 attacks per retail customer, as compared to 63,581 attacks per retail customer April through December 2010.

"Based on the attacks we detected in the first nine months of this year, criminals are more aggressively using the web as a primary attack vector for both clients and servers," said Jon Ramsey, Dell SecureWorks CTO. "We saw a significant increase in SQL Injection attacks against servers and exploit packs hosted on web sites, which contributed to the overall rise in retail attacks."

"Server protection requires strong secure software development practices, as well as detection and prevention controls," continued Ramsey. "Client protection requires good system hygiene and detection and prevention controls that limit exposure to attacks from malicious websites."

Top Attempted Retail Attacks

SQL Injection Attack

A technique that exploits security vulnerabilities in Web applications by inserting malicious SQL code in Web requests. "Although this attack is very well known, it is not surprising that we continue to see a high incidence of this threat, as hackers will use any technique that proves to be successful over and over, and sadly it continues to be," said Ramsey. Just this spring, it was reported that a hacker in Georgia used SQL Injection attacks to steal 675,000 credit card accounts, resulting in $36 million in fraudulent transactions. Cyber thieves also used SQL Injection attacks in the widely publicized breach of Heartland Payment Systems, Hannaford Brothers and three other retailers, where they made off with 130 million credit card and debit cards.

Web-based Exploit Kit Attacks

Dell SecureWorks also blocked its retail customers from a large number of Web-based Exploit Kit attacks. Exploit kits are tools that cyber criminals use to distribute a wide variety of malware, and this year we saw an increase in attacks from one of the most popular exploit kits on the underground, Blackhole. Generally computer users are unknowingly redirected to exploit kits through malvertisements (poisoned text ads), compromised sites or spam email messages that contain a malicious, embedded link. When a computer user encounters an exploit kit, the kit invisibly probes the visitor's browser or browser plug-ins (eg: document viewers, music and video players, rich content applications, etc.) for known security vulnerabilities. If vulnerable applications are found, they are used as a vehicle to silently install malicious software. Often, this malware consists of banking Trojans such as ZeuS or SpyEye; Downloader Trojans; DDoS or Spam Trojans; or Rogue Anti-Virus.

"The fact that a large number of Exploit Kit attacks were blocked indicates not only an increase in these attacks but also that are unpatched security vulnerabilities in the retail employees' third-party applications, such as Java and Adobe. All organizations, including retailers, should continually assess their patching policies, ensuring that their applications and operating systems are kept up to date and patched in a timely fashion," said Ramsey.

Downloader Trojan Attacks

Another prevalent attack type attempted against Dell SecureWorks' retail customers were Downloader Trojans. These are relatively small, highly obfuscated, malicious program. Their primary mission is to bypass and disable a computer's host-based security programs like anti-virus and firewalls so that other malicious payloads can be downloaded and installed on command without tripping security alerts.  Downloader Trojans are primarily distributed by rogue pay-per-install (PPI) affiliates using malvertisements, misleading links, or redirects to Web Exploit Kits. They can also be disguised as fake codecs for viewing video, pretend to be updates to browser plug-ins, piggyback on files shared via P2P (peer-to-peer) shared networks or arrive as attachments to emails.   The PPI operator sells access to the download functionality of his bots (infected machines) to other botnet operators and purveyors of adware, spyware, and other malicious code.

Key Tips for Securing the Endpoint (PC)

Several years ago, we saw the trend shift from hackers targeting the organization's servers to targeting employee PCs, and this trend is continuing. These are known as client-side attacks. In order to defend against these attacks, organizations need to make sure that their computer applications and operating systems are kept up to date and patched and that they have robust security measures in place, including current antivirus software to protect against the latest threats.

Dedicated Computers for Bill Pay, Payroll, and Corporate Financial Transactions

Dell SecureWorks recommends that retail employees working in accounts payable, payroll, or other financial areas of the company, have a dedicated computer for online banking, payroll processing, bill payments and related tasks. The dedicated computer should never be used to access email or surf the Web, as those are the two major infection vectors for malware.

End-user Training and Policies

Information security training and policies are critical in defending against client-side attacks according to Ramsey. "Employees need to utilize effective passwords and always need to be wary of emails with links or attachments, even if they come from someone they know," said Ramsey. "Computer users need to confirm with the sender that they sent the email, prior to clicking on attachments or links. This is especially true when it comes to defending against Trojans that steal financial information, such as ZeuS, Spy Eye and Coreflood."

Key Tips for Securing the Network

Implement a robust Intrusion Prevention Solution (IPS)

To defend their network against SQL Injection Attacks, Web Exploit Kits and Downloader Trojans, retailers should implement an Intrusion Prevention Solution (IPS) that has countermeasures to detect and block current and emerging cyber attacks.

Implement a Web Application Firewall

Firewalls should be maintained and monitored continuously by a security expert.to help prevent Web applications from being infiltrated.

Monitor servers and security devices 24x7x365

Servers and security devices, such as firewalls, IDS/IPS, and host anti-virus, should be monitored round- the-clock to spot security issues and remediate them in real time.

Timely and Actionable Intelligence

There are versions of malware which countermeasures cannot be written for. Thus, organizations should always have current, actionable intelligence about the latest threats and the IP addresses associated with them so that your security team can spot if there is an infection inside your network trying to communicate valuable data back out to the hackers. Security experts who have their finger on the pulse of the threat landscape can provide this Threat Intelligence.

Regular Vulnerability Scans and Penetration Tests

Regular vulnerability scans, especially Web Application Vulnerability Scans, and network penetration tests can help retailers identify issues and improve their security posture, especially when defending web application attacks.

Web Content Filtering

To protect against Web-Exploit Kit and Downloader Trojan attacks, retailers need to implement Web content filtering, as well as network and host-based antivirus solutions.

Key Tips for the CSO/CIO

Develop a Centralized Plan for Timely Patch Management and Security Updates

A centralized plan which keeps security software updated and servers and workstations fully patched, in a timely fashion, is imperative.

Implement Secure Software Development Life Cycle Processes

Retailers that implement Secure Software Development Life Cycle Processes help ensure that Web applications and other software programs are written securely.

Implement Authenticated Proxy Server

Retailers should consider implementing an Authenticated Proxy Server to help IT administrators determine if there is a computer on the network which is infected and which user requested the malicious web page.

Implement Policies for Executable File Downloads, Peer to Peer Networks, Risky Websites

Retailers should implement and enforce policies that forbid employees from downloading executable files via the Internet, using Peer to Peer networks, or visiting risky websites (eg: sites hosting free copies of software, music, movies; adult content sites and gaming.)


SecureWorks currently protects 96 retail customers in the US and abroad. Attack statistics are from a 18-month study of 37 customers using Dell SecureWorks' Managed Intrusion Detection and Prevention service (IDS/IPS) at the edge of their network, giving Dell SecureWorks visibility into all attempted network attacks while blocking them. In addition to retail organizations, SecureWorks protects financial institutions, utilities, manufacturers, healthcare organizations, technology providers and government organizations. For more information on retail security solutions from Dell SecureWorks' please visit http://www.secureworks.com/compliance/industries/retail/

Online Tools

  • Print this Page
  • Share This Resource