IoT botnets, remote access tools and infostealers were the key malware families deployed by attackers targeting retail in the past year, according to a report from Netskope Threat Labs.

Overall, almost half (47%) of all malware delivered to employees in the retail sector in the last 12 months were via cloud applications they use every day. Retail has also undergone a shift over the past year from predominantly Google Cloud-based applications towards Microsoft apps like Outlook. 

Infostealers are a prominent malware family for the retail sector as attackers attempt to steal valuable data such as payment details.

The Mirai botnet family has increasingly been seen to target exposed networking devices running Linux such as routers, cameras, and other IoT devices, which can provide visual or sensor information that assist cybercrime or are abused to launch DDoS attacks against other targets. 

Similarly, remote access trojans (RAT) were popular as they allow access to browsers and remote cameras, sending information to attackers or receiving commands. Since the leak of Mirai malware’s source code, the number of variants of this malware has increased and poses a risk to retail as a sector with multiple vulnerable endpoints. 

In last year’s Netskope Lab Threats report, Google applications were far more popular in the retail sector than in other industries, but over the past year the researchers have seen a resurgence of Microsoft’s popularity.

This is particularly evident for storage with the gap between OneDrive and Google Drive widening over the past year, with the average percentage of users shifting from 43% to 51% for OneDrive and falling from 34% to 23% for Google Drive. Outlook (21%) is supplanting Gmail (13%) as the most popular email app.  

Microsoft OneDrive remains the most popular cloud application for malware delivery across all sectors including retail. Attackers gravitate towards tactics that capitalise on trust and familiarity with OneDrive, increasing the likelihood they will click on the links and download the malware.  

In retail, attacks via Outlook are more successful than in other sectors – retail sees twice as many malware downloads via Outlook (10%) as other industry averages (5%). 

WhatsApp was three times as popular in retail (14%) than other industries (5.8%) both for average usage and downloads. However, WhatsApp was not listed among the current top apps for malware downloads. This may change as threat actors start to see its popularity justifying the economic case to direct more attacks via the app. Social media applications like X (12%), Facebook (10%) and Instagram (1.5% for uploads) were all more popular in retail than other industry averages. 

Netskope cyber intelligence principal, Paolo Passeri said, “It’s surprising that the retail sector still finds itself specifically targeted with botnets like Mirai as attackers look to compromise vulnerable or misconfigured IoT devices across retail locations and abuse them to dramatically amplify the effect of a Distributed Denial of Service (DDoS) attack.

“Mirai is not a particularly recent threat, and since its discovery in 2016, there are now multiple variants used today. The fact that attackers continue to use it to target IoT devices shows that too many organisations continue to dangerously overlook the security posture of their internet-connected devices.

“This poses a significant risk not only for the targets of the attacks launched from the IoT botnet but also for the organisation whose IoT devices are enslaved into the botnet, since their exploitation can easily lead to outages that impact the functioning of the business. This vulnerability, coupled with the use of infostealers and remote access malware to extract credentials and customer financial data makes the retail sector a potentially lucrative target.”

Netskope Threat Labs has made several recommendations for best practices for enterprises in the retail sector to counter these threats:

  • Inspect all HTTP and HTTPS downloads, including all web and cloud traffic, to prevent malware from infiltrating your network. 
  • Ensure that high-risk file types like executables and archives are thoroughly inspected using a combination of static and dynamic analysis before being downloaded. 
  • Configure policies to block downloads and uploads from apps and instances that are not used in your organisation to reduce your risk surface to only those apps and instances that are necessary for the business and minimise the risk of accidental or deliberate data exposure from insiders or abuse by attackers. 
  • Use an Intrusion Prevention System (IPS) that can identify and block malicious traffic patterns, such as command and control traffic associated with popular malware. Blocking this type of communication can prevent further damage by limiting the attacker’s ability to perform additional actions.
  • Use Remote Browser Isolation (RBI) technology to provide additional protection when there is a need to visit websites that fall into categories that can present higher risk, like newly observed and newly registered domains.