New research by Netskope Threat Labs has revealed that IoT botnets, remote access tools and infostealers were the key malware families deployed by attackers targeting the retail sector in the past year. The findings were revealed in a new report on the retail sector.
Retail has also undergone a shift in the past 12 months from predominantly Google Cloud-based applications towards Microsoft apps like Outlook. In last year’s report, Google applications were far more popular in the retail sector than in other industries, but over the past year the researchers have seen a resurgence of Microsoft’s popularity. This is particularly evident for storage with the gap between OneDrive and Google Drive widening over the past year, with the average percentage of users shifting from 43% to 51% for OneDrive and falling from 34% to 23% for Google Drive. Similar trends were observed with Outlook (21%) supplanting Gmail (13%) as the most popular email app.
Microsoft OneDrive remains the most popular cloud application for malware delivery across all sectors including retail. Attackers gravitate towards tactics that capitalise on users’ trust and familiarity with OneDrive, increasing the likelihood they will click on the links and download the malware. In retail, attacks via Outlook are more successful than in other sectors – retail sees twice as many malware downloads via Outlook (10%) as other industry averages (5%).
The research also found that botnets and trojans are targeting network devices. Specifically, the Mirai botnet family has increasingly been seen to target exposed networking devices running Linux such as routers, cameras, and other IoT devices in the retail environment. Similarly, remote access trojans (RAT) were popular as they allow access to browsers and remote cameras, sending information to attackers or receiving commands. Since the leak of Mirai malware’s source code, the number of variants of this malware has increased considerably and poses a risk to retail as a sector with multiple vulnerable endpoints.
Paolo Passeri, Cyber Intelligence Principal at Netskope said: “It’s surprising that the retail sector still finds itself specifically targeted with botnets like Mirai as attackers look to compromise vulnerable or misconfigured IoT devices across retail locations and abuse them to dramatically amplify the effect of a Distributed Denial of Service (DDoS) attack. Mirai is not a particularly recent threat, and since its discovery in 2016, there are now multiple variants used today. The fact that attackers continue to use it to target IoT devices shows that too many organisations continue to dangerously overlook the security posture of their internet-connected devices. This poses a significant risk not only for the targets of the attacks launched from the IoT botnet but also for the organisation whose IoT devices are enslaved into the botnet, since their exploitation can easily lead to outages that impact the functioning of the business.”
The popularity of WhatsApp in retail also increased. In fact, the app was three times as popular in retail (14%) than other industries (5.8%) both for average usage and downloads. However, WhatsApp was not listed among the current top apps for malware downloads. This may change as threat actors start to see its popularity justifying the economic case to direct more attacks via the app. Social media applications like X (12%), Facebook (10%) and Instagram (1.5% for uploads) were all more popular in retail than other industry averages.
Netskope Threat Labs recommends that retail enterprises inspect all HTTP and HTTPs downloads, ensure that high-risk file types are thoroughly inspected before being downloaded and that Intrusion Prevention Systems (IPS) are used, among other preventative measures.
