What is Organized Retail Crime (ORC)?

Organized crime continues to be a growing concern for the retail industry. 97% of those surveyed said they've been victimized by ORC in the past 12 months. When we talk about ORC, we aren’t talking about a few teenagers slipping sunglasses into their bags. We are talking about the substantial theft or defrauding of a retailer by an organized group of people as part of a larger criminal operation.

The primary objective of these criminals is to turn a profit. This means their theft is rarely, if ever for their own personal use. Instead, they employ strategies such as obtaining illegitimate refunds for stolen goods, thefts of credit card information from vendors, or reselling those aforementioned stolen goods. 

Typically for these organizations to operate profitably they need to steal in substantial quantities. In fact, it is estimated that retailers had an average loss of $703,320 per $1 billion in sales directly due to ORC in 2019. The scale of the organized retail crime operations can be devastating for retailers and are responsible for billions of dollars worth of losses each year in the retail sector. 

Many factors play into this, including rising felony thresholds that reduce the risk for ORC criminals. In addition, respondents say ORC gangs are becoming more violent. And over 2/3rds of those questioned said they’d seen an increase in ORC activity.

Types of Organized Retail Crime

There are two main ways that retailers are targeted. This is either through retail fraud, where the threat actors implement one of many fraudulent strategies to make a profit at the harm of the retailer. Or they steal product from the retailer and resell it usually through e-commerce channels or even dark web commerce sites.

Fraud and Organized Retail Crime

Refund or Return Fraud - This is when an individual or group returns merchandise they stole for cash or credit from the store. An alternative strategy involves attempting to return counterfeit merchandise.

Counterfeit Money - Groups use counterfeit money to make numerous purchases from across a range of stores to avoid suspicion. Then they return the products for real cash or they sell the product online. Alternatively, they might purchase gift cards and then sell those on for real cash.

Serial Number Fraud - The organization might legitimately purchase goods and then sell the serial number for a replacement claiming it has broken. Often, replacement goods are sent before the damaged ones are received by the retailer. They can then make a profit off of the fraudulently claimed item.

Gift Card Fraud - There are a few ways that gift cards can be used by organized retail crime groups. First, a stolen credit card could be used to buy gift cards. Second, gift cards often have fairly simple serial number sequencing, attackers can learn the sequence of the cards and when they are legitimately loaded, make a clone of the card to sell or use themselves.

Credit Card Fraud - Because of the amount of transactional data that retailers have they are a prime target for hackers. These hackers could be looking for credit card data, banking details, or simply, personal information data. This they will likely sell off to the highest bidder through a dark web marketplace rather than use themselves.

Theft and Organized Retail Crime

Mass Shoplifting - This can take various forms. One, a group goes around separately to various different retailers and boost a substantial amount of merchandise without anyone noticing. Alternatively they might take a smash and grab approach, where a large group rush into a store, grab what they can, and rush out just as quickly. Potentially making off with thousands worth of goods.

Robbery - This is when an individual or group targets a specific retailer, often for cash in the till. This kind of robbery can be violent and safety should always be the primary concern for the retailer. 

Smash & Grab / Burglary - Organized retail crime groups have been known to target high-quality retail stores for high-value merchandise they know they can profit from. For example, designer clothing, electronics, and jewellery. This could involve smashing the front window with a brick or a more subtle entry involving access through air vents or by manipulating an employee to gain access after closing.

Cargo Theft -  One of the key strategies employed by organized crime groups is the theft of cargo. Cargo is defined as merchandise that has yet to reach its final destination. Examples of this include theft from warehouses or from lorries whilst they are in transit. This allows for the criminals to steal large quantities of goods in one go. 

73% of retailers surveyed said they've been a victim of cargo theft in the past year. En route from distribution center to store is the most commonplace for cargo theft to occur.

Improved Situational Awareness for Preventing and Mitigating Threats Associated with ORC

To combat the threat of organized retail crime, 65% of retail executives surveyed said they were prioritizing ORC more now than 5 years ago. To do this 56% said they have or plan to allocate additional technology resources to fight risk and 44% said they would be increasing their loss prevention budgets (source).

Loss prevention strategies include more stringent return policies, better gift card serializing, electronic article surveillance, and improved video surveillance. To improve the overall effectiveness it’s also important to support loss prevention teams with accurate and up-to-date intelligence.

Using OSINT tools like Signal you can quickly become aware of and mitigate damages from a range of potential threats from organized retail crime such as: 

• Cloned gift cards for sale on the dark web.

• A conversation suggesting cargo was going to be targeted. 

• Data breaches of sensitive customer data.

• Plans for after hours break-ins.

• Product serial numbers found for sale on Telegram.

• Stolen goods found online.

In an increasingly digital world, there is scope for fake news publishers to make a huge social impact as well as large profits through the spread of disinformation. Accordingly, this is a problem that has and will continue to grow. The spread is compounded by our very human natures which compel us to engage with inflammatory content and often share before we’ve had time to fact-check and verify.

The spread of disinformation is problematic on a number of levels, it can impact a brands image, spread harmful or misleading medical information - as we’ve seen throughout COVID-19, or even undermine democracy itself as was seen in the 2016 US elections. Ultimately, to combat misinformation organizations need to be equipped with the right tools and understand both what they’re looking for, and the reasons for spreading misinformation.

The High Cost of Fake News

There are serious potential ramifications for the unchecked proliferation of misinformation which can impact both B2C and B2B organizations. For example, a competitor or disgruntled customer or employee could hire or create a fake news publisher to damage your brand image for purposes of revenge or to gain a competitive market advantage. 

These adversarial news generation sites could easily generate a huge amount of very believable content, syndicate across a number of channels, and promote heavily through social media, potentially through the use of bots. Overwhelmed companies would face a significant challenge when developing a response to counteract these examples of bad “press” and it would be necessary for those targeted organizations to have real-time actionable data at their fingertips.

How do you Spot a Bot?

Anonymity

Real people sharing real stories will have full accounts, normally with a photo of themselves. These people will have friends, followers, family and likely engage largely with their friends content. The opposite is fairly true for bots. Bots, by their very nature don’t have identities which often results in bot accounts appearing to have a highly anonymous approach.

This could be evidenced in the lack of information they share, or perhaps they use a generic profile picture like a well-known landmark.

Activity

The frequency of their postings as well as how successful those posts are are good indicators of a bot. For example, you might come across an account with only one post and no followers yet that post has thousands of shares.

Content

The people that create bots have an agenda. Whether that’s to drive traffic to a website, generate income, spread political disinformation, etc. Whatever, their reason, the bots will be used to achieve it which means all their posts will have a common theme such as inflammatory political context.

Stolen photo

It’s not uncommon for bots to steal profile pictures. A quick test can be running their profile picture through Google image finder to find the real owner of the image.

Related: Responding to Global Crises like COVID-19 with Increased Situational Awareness

A quick checklist for botnet detection

Bot accounts used in one network or campaign usually have several of the below listed features in common:

• Multiple accounts with similar names or handles;

• Accounts were created on the same date;

• Each account is posting to the same sites, or even the exact same links;

• The same phrasing or grammatical error appears across each accounts;

• They all follow each other and/ or share each other posts;

• They use the same tool for link shortening;

• The bios have similarities;

• Profile pictures are generic or identifiably not them (easily searchable through Google).

Obviously, just because some accounts have similarities doesn’t mean they are all bots, however, it should certainly raise some eyebrows in suspicion especially if you have  four or five accounts with several of these signs.

Fake Accounts vs. Account Takeovers

We outline above a few of the tell-tale signs of a bot. There is an additional tactic that is commonly used to amplify the distribution of fake or inflammatory content and this is through an account takeover. 

For this approach botnet operators perform credential stuffing attacks on social media accounts and then use the accounts they gain access to, to share information through direct messaging or by sharing content. Additionally, a compromised account could theoretically mean sensitive information is exposed and executives or organizations as a whole could suffer reputational damage or financial loss.

Standard security protocols, such as having unique passwords for all your online accounts, should help individuals avoid becoming victims of these tactics. 

The Importance of Verifying Information

The best way to check the accuracy of a source is to check it against another source.

However, this does raise another question. What if those other sources, those source which are supposed to independently verify the truth are working with the information source you’re fact-checking. Or what if the facts in the source are. largely correct but the story is spun to support one side of an argument. This might ring with scepticism and conspiracy, however, it is a point worth making, with whom do you place your faith and at what point do you stop questioning the validity of information?

Identifying Click-bait

Click-bait titles are purposefully crafted to evoke a powerful response from the readers. The reason for this is it encourages people to share the post, often without even reading the text. Less reputable news sites are occasionally guilty of this tactic, twisting the truth in their titles to get a response and increase their reach. However, it is also a tactic employed by botnet operators to maximise the reach of fake news. Signs that this might be the case are as follows:

• Does it evoke a strong emotional reaction?

• Is the story utterly ridiculous - or does it perfectly confirm your beliefs?

• Are you going to spend money because of it?

• Does it make you want to share it?

What’s the Bigger Context

Understanding the context behind a piece of news can help you determine how much, if any, of the story is true as well as lead you to a better understanding of what the publishers end goal is.

• Who’s providing the information?

• What’s the scale of the story?

• If there’s an “outrage,” are people actually upset?

• How do different news outlets present the same story?

Understand their Angle

Just because something is misleading or even incorrect doesn’t mean it’s without use especially in a security context. In fact, understanding the reason behind the content might give insight into potentially harmful tactics targeting your organization and better allow you to create an effective response.

When determining what their angle is ask the following questions:

• Are important facts getting left out or distorted?

• What’s the larger narrative?

• What if you are actually wrong? Your previous opinion on a subject might have been formed by a different piece of fake news.

• Why did they share this story?

Determining Truth from Fiction Online with Signal OSINT

How companies utilize technology and adapt to the shifting threat landscape will determine how effectively they are able to mitigate the threat of disinformation.

Signal enables organizations to monitor and manage large amounts of data from a plethora of different data sources across the surface, deep, and dark web. This, paired with advanced filters and boolean logic means that security teams are empowered to identify disinformation, discover patterns and botnets, and practically respond to these potential and evolving threats. 

Additionally, Signal enables security teams to detect data leaks. This data may be used in credential stuffing attacks and poses a severe security risk. Identifying data leaks early is essential for mitigating the threat of credential stuffing and in this case preventing harmful misinformation from being spread through or by an organizations workforce.

Signal is an Open Source Intelligence tool which is used across a number of sectors to help executive and security teams form efficient and effective responses to emerging and evolving threats to assets and people - both staff and customers.

Some of the ways this manifests is in things like quickly identifying data breaches, allowing users to better protect their customers from threats like credential stuffing. Or through social media monitoring to identify sentiment which could affect a businesses reputation or evolve into a physical threat against an executive.

In short, Signal provides relevant, actionable, and real-time information and tools to monitor multiple online data sources with a simple, easy-to-use interface. We empower security professionals around the world to quickly identify emerging threats, receive real-time alerts, and monitor developing situations in order to save time and resources, protect staff and customers, and manage operational risk.

Why use Signal in the Healthcare and Pharmaceutical Sector 

Management and security professionals in the healthcare industry have particular needs when it comes to protecting assets, staff, and patients. Some common threats include fake drugs for sale online, sensitive data leaks, and illegal impersonation of healthcare professionals.

To prevent the afore mentioned risks and others from evolving into tangible threats healthcare professionals in charge of security need to remain vigilant. Having Signal OSINT software in their toolbox allows them to monitor the dark web for leaked data, scan social media for negative sentiment and monitor other sources to detect threats early.

Private medical data leaks 

One of the most worrying things may healthcare institutes have to worry about is hackers targeting sensitive patient data. It is estimated that 24% of dark web vendors offer access to the healthcare vertical market. Over recent years there a has been a resurgence in ransomware and phishing attacks targeting hospitals, medical practices, and nursing homes.

The reason these institutes are so attacked is that digital medical data sets are incredibly rich PPI sources. These records are worth a lot on the black markets of the dark web. Having someones personal medical history allows fraudulent claims and identity theft. It’s important to remember that hackers are trying to generate a positive cash flow from their attacks.

It’s not just medical records then that hackers can get out of a medical institutes system. Often there are non-sensitive login pairs as well as payment and credit card details. Which makes this a gold mine  for hackers.

Fake drugs for sale online pharmaceuticals online

The WHO estimates that 50% of the drugs for sale on the internet are fake. Due to the high price of some medications there is ample opportunity for false online vendors to take advantage of the customers need. Often the fake drugs are portrayed as the real thing,  but at a massively discounted rate. 

Pharmaceutical IT security needs to locate and identify these dangerous sites so that they can be shut down in an effort to protect consumers from potentially harmful fake drugs. It’s also important to identify fake online vendors who might be impersonating a companies brands. This could cause both dangers to customers, but also creates a reputational risk for pharmaceutical companies. 

Stopping the Spread of Misinformation 

In light of the rapid spread of information following the pandemic outbreak of COVID-19, it has never been more clear that organisations need reliable accurate sources of information. Examples of unqualified individuals selling miracle cures, or spreading misinformation for some other reason can quickly spread through the internet. Trustworthy healthcare institutes and sources need to identify and combat this misinformation fast.

How Signal is currently being used to help healthcare professionals

An individual impersonating a doctor was discovered online

The individual was selling fake drugs to customers using their persona as a healthcare professional to give out medical advice and push the sales of fake drugs. By using Signal this threat was discovered and action is taken to prevent further damages.

fake prescription drugs found online

Several examples have been discovered by Signal customers of  their drugs online from unofficial vendors. Upon closer inspection, these drugs were not theirs but fake replicas. Signal was used to closely monitor dark web forums where these drugs were for sale as well as fake sites on the surface web where they were more openly available to customers. Using customised searches the fake prescription drugs were quickly located and the threat to  customers and the companies reputations removed.

Discovered sensitive leaked patient information.

After a system hack, a healthcare institute using Signal was able to identify some of their patient’s records for sale on the dark web. Whilst the data can’t be retrieved, with this knowledge preventative measure can be and were put in place to minimise the risk of these data sets being fraudulently used. 

Threats against staff are uncovered from dissatisfied patients

By using Signal’s sentiment analysis tool, Spotlight, users can determine the emotions behind posts to determine whether or not posts deserve further analysis or attention. This helps users cut through the noise. 

Dangerous misinformation caught being spread about COVID-19 

Using Signal a dangerous piece of misinformation about COVID-19 was identified. It was particularly harmful as it was being portrayed as an internal hospital memo however, upon inspection the information whilst believable was entirely incorrect. By identifying the misinformation that was being spread healthcare professionals were able to counter with verified and accurate information. 

Summary

Signal is an open source intelligence platform that enables efficient monitoring of content in blogs and posts on the surface, deep, and dark web. This allows users to detect and identify potential threats to their business, customers, and assets and then establish effective preventative measures to protect against those threats.

One of America’s biggest banks took four months to realise it had been hacked.

Signal could have helped the bank find and respond sooner to reduce their reputational damage.

In late July the $370bn bank Capital One announced a hack of one million social security numbers and 80,000 credit card-linked bank account numbers which is estimated to  cost over $100m to remedy.

Their announcement came 120 days after the actual hack occurred - the vigilant monitoring that Signal provides could have alerted Capital One to the problem quickly. Instead, it took months before a ‘white hat’ noticed conversation about the breach.   

The number of people affected was staggeringly high – in the words of Capital One itself, “The event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.”

Here’s what happened:

On July 19, 2019, it was determined there had been unauthorised access by an outside individual who obtained personal information relating to Capital One credit card customers.

Capital One says it immediately fixed the configuration vulnerability that the individual had exploited and promptly began working with federal law enforcement.

The FBI arrested Paige Thompson, 33, a software engineer who formerly worked for Amazon Web Services… which Capital One is known to use.

Charges against Ms Thompson state she boasted about the hack on GitHub, Slack, and Twitter, allowing Capitol One the opportunity to quickly alert their cyber teams of a potential breach – if they were utilizing an OSINT tool like Signal.

Capital One claims it is unlikely the information stolen was used for fraud or disseminated by the individual, adding it believes no credit card account numbers or log-in credentials were compromised and that over 99 percent of Social Security numbers were not compromised.

The fact remains: one million social insurance numbers and 80,000 credit card-linked bank account numbers were exposed.

The largest category of information accessed was information on consumers and small businesses created when they applied for credit card products across the last 15 years, including:

• Customer status data, credit scores, credit limits, balances, payment history, contact information

• Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

• 140,000 Social Security numbers of credit card customers

• 80,000 linked bank account numbers of our secured credit card customers

• The Social Insurance Numbers of one million Canadian credit card customers were also compromised in this incident.

The configuration vulnerability was reported to Capital One by an external security researcher through a Responsible Disclosure Program on July 17, 2019. Capital One then began their own internal investigation, leading to the July 19, 2019, discovery of the incident.  the hacker had four months to do what she wished with people’s personal information.  Unfortunately, it is common for hacks to take months to be discovered, reported, and patched if the proper monitoring solutions are not in place.

Capital One expects the incident to generate incremental costs of approximately $100-$150 million in 2019. Expected costs are driven by customer notifications, credit monitoring, technology costs, and legal support and notifying customers.

Capital One said in its public statement it has always invested heavily in cybersecurity and will continue to do so.  This breach shows how the convergence of cyber and physical security is continuing to evolve as companies continue to invest in infrastructure and tools to stay at the forefront of cyber threats.  As threat surfaces continue to increase, social media and dark web scanning tools have become even more important to identify threats in real time.

Clearly there’s a lot of money at stake, but the worst part of it all is the hacker boasted about it online and the response could have been a lot quicker.

While it doesn’t appear that the breach was for financial gain, the reputational damage for Capital One has been huge (and continues).

Here’s how signal can help prevent this sort of thing happening:

Signal’s point of difference is scanning the web and dark web for chat around data hacks, breaches and stolen information for sale.

We know that the accused thief bragged about what she was alleged to have done to Capital One, and this is precisely the sort of thing Signal is set up to prevent.

Signal offers:

• Monitoring over 15 data sources, including social media, web/forums, surface web, the dark web and online forums.

• Accurate real-time results centred around the geographical locations you need to monitor

• Advanced filtering of searches

• Excellent visuals so you’re not sifting through raw data to find out who’s talking about hacks at  your organisation

• Situation awareness

• Online operation centre capability and data

 Please feel free to read how Signal could have helped resolve

• A British banker selling stolen data on the dark web (and being exploited until he was driven to steal even more)

• Slow responses to crises emerging in the real world outside a business

• Parsing the dark web and seeing discussions about plans to rip off your bank or business

• Mitigating the Threat of Credential Stuffing through Dark Web Monitoring

 www.getsignal.info

info@signalpublicsafety.com