Cybersecurity, Emergency Preparedness, Emerging Issues in Security

2022 Holiday Season Cyber Threat Trends for the Retail and Hospitality Industry

For the retail, hospitality, and travel community, the holiday season is the most intense time of year for persistent threats. From the beginning of October through the end of December, attempted cyberattacks expand in both scale and magnitude to match the rise in consumer traffic.

To help provide cybersecurity professionals in consumer-facing businesses with information on the holiday threat landscape, the Retail & Hospitality ISAC has developed a 2022 Holiday Season Threat Trends Summary report, which compares data from previous holiday seasons with information member companies and our Associate Member partner, Flashpoint, are currently seeing so far this year.

Here are some of the key findings from that report:  

Fraud Is a Top Concern this Holiday Season

  • Gift card purchases and usage are high during the holiday season, providing the perfect cover for threat actors using gift cards to launder money from compromised credit cards and payment sites. Security teams should be watching gift card threshold and rate limits and movement of gift cards across accounts.  
  • Return fraud is another popular tactic for threat actors looking to capitalize on holiday shopping trends. Attack tactics in this area have continued to evolve as mitigation efforts adapt, but organizations can help reduce the impact of these types of attacks by working closely with their customer service departments to provide training on return fraud.
  • Account takeover (ATO) typically ramps up around the holidays as fraudsters prepare for account abuse. Security teams are focusing more this year on the identification of ATO tactics and campaigns so they can expedite locking compromised accounts, minimizing the time of exposure for fraud activity to occur.
  • The holidays are often when there is high demand for limited-edition products. The use of bots to acquire these items and resell them at high markups has been a challenging trend for retailers. The use of automation to support this activity causes significant negative side effects on the back end and can even lead to DDoS-like disruptions.

Phishing and Credential Harvesting Are on the Rise

Credential harvesting is among the most prevalent and long-term consistent attack trends reported by the RH-ISAC community, frequently rating as the most common threat on a weekly basis. In 2021, credential harvesting indicators made up 17% of the IOCs shared during the holiday season, up from 13% in 2020. RH-ISAC analysts expect credential harvesting to remain a top threat this year as well, with members reporting an increase in targeted phishing attempts, including phishing messages from individuals posing as company executives.

Cyber threat intelligence platform Flashpoint has conducted research as well, confirming this trend, identifying phishing as the most popular hacking service advertised within illicit communities this year. These phishing services can come in the form of bespoke scam pages, SMS phishing (smishing), and emails with malicious attachments. Traditionally, during the holiday shopping season, these phishing messages have taken the form of fake coupons or discount codes.

Ransomware Remains a Threat for the Retail Industry

Financially motivated actors target retailers for ransomware attacks during the holidays knowing the impact that operational downtime could have on a retailer’s profitability during the most lucrative time of year. During last year’s holiday shopping season, between October and January, Flashpoint identified a total of 20 leaks originating from retail organizations.

Based on this trend, it is likely that retailers will experience an increased threat of ransomware attacks during the upcoming holiday season as well. Ransomware gangs and affiliates will be targeting retailers assuming that their victims will be more apt to pay a ransom to minimize downtime and to keep their names off leak sites. The impact of ransomware attacks could negatively affect overall profitability, whether it be due to operational downtime or a damaged brand reputation.

Already in 2022, U.S.-based retail entities are the most heavily targeted industry, based on Flashpoint reporting of advertisements for data and access within illicit communities.

Access to Threat Intelligence Feeds Provide a Competitive Advantage

When it comes to hardening their defenses against these attacks, the retail and hospitality industry reported multiple tools and practices that provided a competitive advantage. Most frequently mentioned was access to threat intelligence, whether through CTI feeds, the dark web, or other threat intel sources. Members of the RH-ISAC community highlighted their access to community resources and sharing platforms, as well as their access to RH-ISAC threat intelligence, as competitive advantages in their holiday season prep.

Suzie Squier is the president of the Retail & Hospitality ISAC (RH-ISAC). She has been connected to the ISAC since its inception and is responsible for the overall management and growth of the organization. Prior to joining the RH-ISAC, Squier was executive vice president of member services for the Retail Industry Leaders Association. She is a graduate of the University of Maryland.