U.S. convenience store giant Kwik Trip recently disclosed a network incident that negatively affected retail operations. While the company didn’t immediately identify the cause of the outage, other retailers have been attacked by threat actors targeting rewards programs with the credential stuffing technique. During the past year, Cybersixgill observed over 100 posts advertising stolen or leaked Kwik Trip Rewards credentials.
Â
THE HEADLINE
American gas station and convenience store chain Kwik Trip[1] recently acknowledged a network outage that disrupted internal systems, contributing to product shortages, derailing the company’s rewards/loyalty program, and knocking an official web site offline. According to a Kwik Trip statement on October 16, 2023, the company was still experiencing an outage to the Kwik Rewards Program, but retail and customer-facing systems were not impacted.
While Kwik Trip did not identify the cause of the outage, loyalty programs such as Kwik Rewards have been targeted in recent cyber attacks. Earlier in 2023, attackers infiltrated American retail chain Hot Topic[2] using stolen account credentials for the company’s rewards platform, extracting customers’ full names, email addresses, order histories, phone numbers, dates of birth, shipping addresses, and the last four digits of credit cards used for orders. Threat actors use the type of data stolen from rewards programs for financial fraud, identity theft, and other criminal activities.
This type of data is also repeatedly resold on cybercrime forums and marketplaces, including those that are collected by the Cybersixgill Investigative Portal. To that end, Cybersixgill detected over 100 posts advertising stolen or leaked Kwik Rewards credentials during the past year, which are discussed in the section that follows.
While Kwik Trip has yet to disclose which threat actors are behind the recent outage, the technique used in the Hot Topic attack, credential stuffing, is relatively popular for targeting retail chains. Credential stuffing attacks use third-party lists of stolen usernames and passwords, which are frequently obtained from external sources, such as dark web sites, and can be used by threat actors to gain unauthorized access to accounts.
The key to credential stuffing attacks is users’ tendency to recycle passwords and email addresses across multiple platforms and services. The reuse of passwords leaves individuals’ accounts vulnerable to infiltration when data breaches or leaks occur, after which threat actors assess whether credentials grant access on other online platforms. When threat actors find a match, they can successfully login and steal data, which can be used for additional malicious activity.
As a corollary, credential stuffing victims can also be implicated in supply chain attacks,[3] which occur when a vendor or partner is breached, compromising the networks of a web of interconnected entities that include customers, end-users, and a variety of vendors, such as IT service providers, cloud platforms, and consultants.
Â
DIVING DEEPER
Over the course of the past year, Cybersixgill collected over 100 posts advertising credentials for the Kwik Rewards platform. These credentials were advertised by threat actors on a popular dark web market. In the first post below (Figure 1), Cybersixgill observed a highly active threat actor advertising logs for the Kwik Rewards program, which remained offline at the time of writing.
These credentials were initially harvested using an information stealer written in the C programming language that is advertised on Russian-language cybercrime forums and licenced using the Malware-as-a-Service[4] (MaaS) model. The actual login page connected to these logs is currently unavailable, but as a rewards program site, it appears to be a customer portal. This means that a customer machine was likely compromised and its systems were infected with malware at some point. Once threat actors gain unauthorized access, they may be able to steal customer data, which could potentially be used for extortion or resold to other threat actors. As such, protecting login credentials is critical to prevent unauthorized access and cyber attacks.
  Figure 1: Credentials related to Kwik Rewards advertised on a dark web black market
Â
In addition to the Kwik Rewards credentials, Cybersixgil also detected logs for other Kwik Trip portals advertised on the same market. This includes the post below (Figure 2) in which a threat actor advertised an Okta portal for Kwik Trip. Okta portals manage[5] user identities, authentication, and authorization within organizations, controlling access to data, applications, and other resources.
As such, their security is critical to safeguarding organizations’ privacy, intellectual property, data, and other assets. With the Okta logins Cybersixgill observed, combined with social engineering schemes, cybercriminals could potentially gain unauthorized access to sensitive information or obtain an entry point to launch further attacks. Threat actors could resell the data on the underground, use it to perpetrate data extortion schemes, or otherwise abuse it for nefarious purposes.
Â
Figure 2: Credentials related to a Kwik Trip Okta platform advertised a dark web black market
Â
TAKEAWAYS
While the recent disruption suffered by Kwik Trip could have resulted from a credential stuffing incident, some researchers also posited that the outage was caused by a ransomware attack. Regardless of the root cause, it illustrates the company-wide damage that can be inflicted on corporate cyber attack victims. In Kwik Trip’s case, key business functions were interrupted for over a week.
With attackers constantly developing new techniques and social engineering methods to steal credentials from corporate accounts, vigilance in maintaining account security is essential. That includes implementing the following best practices to minimize risk in corporate environments:
·       For password manager tools, choose a long and complex master password using a combination of both capital and lowercase letters, numbers and special characters, and use unique passwords for each portal.
·       Enable multiple-factor authentication (MFA) processes to add another layer of security, making it more difficult for cybercriminals to access corporate devices and accounts.
·       Educate all employees to avoid password reuse for multiple services and accounts.
·       Implement a password expiration date policy for all employee’s accounts.
[1] Kwik Trip is a U.S. convenience store and gas station chain, with primary locations in Midwestern states
[2] Hot Topic stores sell band T-shirts and other music-related clothing and accessories in 675 retail locations throughout the U.S. Hot Topic also maintains an online outlet with close to 10 million monthly visitors.
[3] Ultimately supply chain attacks can result in data breaches, malware injection, and ransomware attacks that cause widespread damage and disruption.
[4] Malware-as-a-service (MaaS) offers malware for sale or rent to cybercriminals of all proficiency levels, who can then use it to launch attacks on targeted systems.
[5] Okta is one of the world’s top providers of identity and authentication management services, which control access to systems, applications, and data. Okta employs over 5,000 people and is worth over $6 billion, providing services to large corporations and government entities.