Axios Codebook

Hackers are ramping up their phishing and ransomware campaigns targeting the retail sector as the holiday shopping season kicks off.

The big picture: The ongoing economic downturn is prompting more shoppers to look for online discount codes and more hackers to trick these consumers with phony deals, threat analysts tell Axios.

• Ransomware gangs are also predicted to target small to medium-size businesses that could be more likely to pay off hackers to prevent an operational outage during the holiday season.

Why it matters: While the retail sector has gotten better at defending its systems against cyberattacks in recent years, no company can ever be considered completely hackproof.

• Traditional phishing lures — where hackers impersonate retailers in emails to collect consumers' login information and credit card numbers — are nearly impossible for retailers to track unless a consumer reports them.

Threat level: This year's economic downturn and the return of in-person holiday gatherings are exacerbating the existing threats that retailers have long had to fight, says Ashley Allocca, a threat analyst at cyber intelligence firm Flashpoint.

• Each year, analysts see a bump in the number of retail companies listed on ransomware extortion sites, where gangs post a list of victims they've targeted that haven't paid up yet, Allocca says.
• Phishing is also one of the "most popular hacking services advertised within illicit communities" this year, according to a report from the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) published earlier this month.

Details: Hackers rely on employees and consumers being too busy during the holiday seasons to spot scam emails.

• Phishing campaigns can lead to consumers entering their credentials and credit card info into fake sites or employees accidentally downloading ransomware at their organization.
• Reports of imposter websites, which mimic well-known retailers and place fake product listings that consumers purchase, also rise during the holidays.

Flashback: Nine years ago, Target responded to a data breach affecting millions of customers' credit cards that woke the retail sector up to the cyber threats they face.

The intrigue: Retailers have increasingly dedicated more resources since those attacks to fight cyber threats, and the industry has several cross-sector resources to help track and detect threats.

• RH-ISAC hosts pre-holiday season workshops for retailers aimed at alerting them to the top hacking techniques, Muktar Kelati, senior director of cyber threat intelligence at RH-ISAC, tells Axios.
• Many retailers also train their customer service teams to better detect fraudulent refund callers and field calls from consumers who spot a phishing or imposter website scam, Kelati adds.
• Christian Beckner, vice president of retail technology and cybersecurity at the National Retail Federation, tells Axios most retailers now have a pre-existing relationship with the FBI, which helps companies get tips on hackers' new tactics and makes them more comfortable calling in investigators whenever they are hacked.

What they're saying: "We see a lot of groups capitalize on these world events," Allocca says about the upcoming shopping season. "People are going to be keen to spend money; they might be under pressure."

Be smart: Monitor bank statements, double-check sender emails and website URLs, and be suspicious of any deals that seem too good to be true, experts tell Axios.

• "If it feels suspicious, it probably is suspicious," Allocca says.

Palo Alto Networks has investigated several incidents involving a data extortion gang using a growing social engineering tactic to extort retailers and other businesses out of hundreds of thousands of dollars, according to a report Monday.

Why it matters: The report highlights the range of threats retailers, other businesses and consumers are up against heading into the hectic holiday season — and the depths hackers will go to make sure they find success.

Driving the news: Researchers at Palo Alto Networks said they've uncovered an ongoing hacking campaign from a group known as both "Luna Moth" and "Silent Ransom" that ditches traditional malware attacks for phone calls.

How it works: The scam typically starts with a phishing email, sent through a legitimate service, to a corporate email claiming the recipient's credit card was charged for a recent service. The email usually has a PDF invoice attached.

• The invoice includes a phone number recipients can call if they have questions about the charges. Once they call, they're connected to a call center run by the malicious hackers.
• On the call, the hacker then walks the person through downloading and running a "support tool" that gives the hacker remote access to the victim's computer.
• Once inside, the hacker blanks out the screen so the victim can't see their actions and moves quickly to steal files and personal data from the device.
• The hacker follows up with an extortion email, detailing the data that was stolen and demanding payment to keep the hacker from leaking the data online.

The intrigue: The data extortion group behind these callback phishing attacks is suspected of having ties to the defunct Conti ransomware gang, a Russian group known for its attacks on hospital systems and other critical infrastructure.

Threat level: Researchers anticipate "callback phishing attacks to increase in popularity due to the low per-target cost, low risk of detection and fast monetization," the report says.

• The campaign is currently targeting the retail and legal sectors and is "actively evolving."

Federal prosecutors seized seven domain names that cybercriminals used to collect crypto investments, prosecutors said Monday.

Why it matters: This week's action appears to be the first time federal prosecutors have taken action against operators of a so-called "pig butchering" crypto scam.

The big picture: The FBI estimates that these social-engineering scams resulted in consumers losing more than $429 million in 2021.

• Pig-butchering schemes involve a cybercriminal befriending someone on a social media site, dating app or similar venue and then leveraging that friendship to get a crypto investment in one of their businesses.
• The scam can also start with someone claiming they texted the wrong number and continuing to carry on a conversation anyway.

Details: The U.S. Attorney's Office for the Eastern District of Virginia seized seven domains used in a scam from May through August that pretended to be the Singapore International Monetary Exchange.

• Five U.S. victims sent a total of more than $10 million to cybercriminals through those links, prosecutors said.
• "The victims’ funds were immediately transferred through numerous private wallets and swapping services in an effort to conceal the source of the funds," according to a press release.

By the numbers: Overall, victims lose an average of $121,926 during pig-butchering scams, according to the Global Anti-Scam Organisation.

• Roughly two-thirds of all victims are women between the ages of 25 and 40.
• About a third of victims have a graduate degree.
• 41% of victims met the scammer on Facebook, Instagram or WhatsApp.

The intrigue: The growth of pig-butchering scams comes as cybercriminals increasingly focus on social engineering, like hopping on the phone or building trust with victims, in their attacks to lure people into their schemes.

@ D.C.

👨🏻‍⚖️ The Department of Justice submitted an amicus brief in an ongoing Supreme Court case arguing that Israeli spyware maker NSO Group should not be considered a foreign government agent and thus should not be immune from lawsuits. (Supreme Court)

@ Industry

💰 Palo Alto Networks reported better-than-expected Q1 earnings earlier this week, with revenue rising 25% to $1.6 billion compared to $1.2 billion the same period last year. (Cybersecurity Dive)

🏛 A legal brief compiled by Apple in an ongoing lawsuit shows startup Corellium has offered its products to controversial vendors in Israel, the United Arab Emirates and Russia. (Wired)

🍎 Researchers at Mysk say Apple does collect personally identifiable information from iPhones, despite its privacy policy explicitly saying it does not. (Gizmodo)

@ Hackers and hacks

🏈 DraftKings says it has no evidence that its online betting platform was breached following reports of a hack. (CNBC)

👾 The AXLocker ransomware gang is now starting to also take over victims' Discord accounts during attacks. (BleepingComputer)

There's been a lot of doom and gloom about Twitter's fate these days, but I've really been enjoying the coverage of how the cybersecurity community is processing everything — and where they might turn to next, if not Twitter. (Hint: it starts with an M 👀.)