Part 3: Protecting The Customer Journey: Learning from 2019’s High Profile Breaches and Attacks

Consumers today are using more touchpoints than ever to interact with brands. Customer journeys are becoming increasingly complex, spanning multiple channels, assets, and involving multiple departments and business processes across the entire organization.

This complexity makes customer journeys notoriously difficult to secure. In our first blog of the customer journey blog series, we talked about the three steps that organizations can take to create a secure customer experience model. In the second blog, we looked at the various vulnerabilities at each point in the customer journey.

In this final part, we look into the top breaches and attacks of 2019 and how they relate to the customer journey. Threat actors are known to target all parts of the complex customer journey; from product discovery to post-delivery customer service interactions.

Customer Journey Stage: Goods and Services Discovery

Brand: Starbucks

When? August 1, 2019

What happened: Due to an internal oversight, a neglected corporate subdomain was left with an active CNAME record.

Hijacking a legitimate subdomain is a potent attack vector that can be used to stage phishing and ATO attacks and distribute malware throughout the organization.

An independent researcher discovered that a neglected Starbucks subdomain had a DNS pointer to an Azure cloud host, leaving the corporate environment exposed. The error consisted of not removing a CNAME (canonical name) record from the corporate domain that pointed to an abandoned resource on Azure for the subdomain “datacafe-cert.starbucks.com”. This asset enables anyone to register the cloud host and then receive the data intended for the subdomain.

A threat actor could further leverage the abandoned assets and use the Starbucks subdomain to carry out cross-site scripting (XSS) and session hijacking attacks. In this case, the same-origin policy (SOP) would have no effect.

This type of security breach is very common and often occurs after a company runs a marketing campaign or runs pre-production tests. Once a resource is no longer required, organizations often forget to clean the DNS records, leaving their environment exposed to a would-be attacker.

Customer Journey Stage: Login

Brand: Fortnite (an EA Games title)

When: January 16, 2019

What happened: Neglected subdomains left a legitimate user session exposed to hacking

With 200 million users worldwide, 80 million of whom are active each month, Fortnite presents a lucrative target for an attack. CyberInt and CheckPoint discovered a vulnerability in the EA Games client, whereby researchers were able to hijack legitimate user sessions with a multi-stage attack. The attack chain took advantage of abandoned subdomains and then leveraged the use of authentication tokens in conjunction with the OAuth Single Sign-On (SSO) and TRUST mechanism built into EA Games’ user login process.

CyberInt and CheckPoint researchers disclosed the vulnerabilities, allowing EA to fix and update their application and processes without awakening threat actors’ instinct to hack gamers.

Customer Journey Stage: Browse

Brand: WooCommerce

When: March 12, 2019

What happened: Critical XSS vulnerability exploited with a popular WordPress plugin

Threat actors were targeting WordPress sites through a vulnerability found in a popular plugin, “Abandoned Cart Lite for WooCommerce”, which is installed on over 20,000 WordPress sites.

In this breach, threat actors were able to utilize the plugin’s functionality to plant malicious scripts into a targeted store’s database by placing an exploit code in one of the shopping cart’s fields, adding the item to the cart, and then leave the site. This action triggered the plugin to store the exploit code in the shop’s database.

Customer Journey Stage: Shopping Cart

Brand: MyPillow & Amerisleep

When: March 21, 2019

What happened: Credit card skimming attack on a typosquatting domain

MyPillow & Amerisleep recently experienced a breach at the hands of Magecart who targeted online retailers with credit card skimming software.

First, the threat group registered a typosquatting domain, mypiltow.com, and used ‘Let’s Encrypt’ to implement an SSL certificate and steal online credentials. Then, they injected a script, containing a heavily obfuscated skimmer into the fake website. Visitors who were fooled into thinking it was MyPillow’s legitimate site entered their payment card info.

Customer Journey Stage: Check Out and Order

Brand: Graeter’s Ice Cream

When: January 22, 2019

What happened: Compromised checkout page

Cincinnati-based Graeter’s Ice Cream notified its 12,000 customers that their credit card information had been exposed through a malicious script placed on the company’s checkout page. As a result, thousands of people who purchased products online in 2018 may be at risk.

Customer Journey Stage: Delivery

Brand: Desjardins Group

When: June 21, 2019

What happened: Malicious insider threat

The Canadian cooperative of credit unions announced that “an ill-intentioned employee” had stolen the information of approximately 2.7 million clients and 173,000 businesses for personal gain. While the insider threat was removed from the company, the consequences are likely to be long-lasting.

Customer Journey Stage: Customer Service

Brand: Expedia

When: July 17, 2019

What happened: Refund Scam

Scammers posed as customer service representatives using a fake support number that claimed to be Expedia, to scam unsuspecting consumers out of thousands of dollars.

The scam targeted Expedia’s customers who were calling these fake numbers to confirm or change a reservation they had made through the Expedia website. The scammers were telling callers that the refund site was not working and asked the consumers to purchase gift cards in order to receive refunds or change their bookings.

The Importance of Securing Each Point of the Customer Journey

As you can see from the above examples, securing the end-to-end customer journey is becoming increasingly complex. Threat actors are targeting each touchpoint between a consumer and the brand, from pre-purchase research to post-purchase customer service inquiries.

Faced with this reality, security teams need to switch gears from focusing on the individual touchpoints and start looking at the customer journey as a whole.

The key to securing the customer journey lies in the continuous analysis of all the organization’s digital assets, including social media accounts, IP addresses, websites, brands, domains, and other digital assets and profiles. Brand protection and fraud prevention can be successfully achieved by taking the outside-in approach with advanced threat intelligence.

Download the eBook now for actionable guidelines on how to ensure your customers security throughout the entire online buyer’s journey.