Classification: Intelligence briefing
The Glasgow-based producer of high-pressure laminate wall panels and worktops said criminals, posing as online customers, attempted to make thousands of fictional orders in an attempt to validate stolen credit and debit card numbers.
The successful combinations would then have been used by fraudsters to purchase goods and services elsewhere, Rearo believes. The company said it has alerted police to the scam and is now urging companies to tighten their online systems to avoid being targeted in the same way.
While the attack didn’t inflict any cost or damage on Rearo directly – it was identified before any of the orders were shipped – its systems were used as a ‘Trojan horse’ to verify the legitimacy of credit card numbers for future illicit use. Stuart Hutcheson, Rearo’s IT implementation manager, said the company only learned about the scam after noticing a pattern of thousands of unsuccessful online purchases over the course of a weekend.
He said: “We had processed around 180 orders through our website and ERP (enterprise resource planning) system, but the cyber attackers had attempted a staggering 4,800 transactions, which shows you the scale of their operation.
“They were clearly attempting to validate credit card number combinations, for use elsewhere. Although their success rate was a mere 8-9%, it underscores the gravity of the situation.”
The nature of the attack highlights a growing trend in cybercrime, where criminals target legitimate, online platforms to validate stolen financial information, facilitating subsequent fraudulent transactions, according to Rearo. Hutcheson said: “They buy data from illegitimate sources and then feed these credit card numbers into an algorithm, attempting to match the correct combinations.
“While the attack did not cause significant financial losses to us, it led to considerable disruption and a time-consuming manual recovery process for the affected transactions. This phenomenon is gaining traction. We know of two other businesses, which manage online sales, which have been affected recently. It’s becoming a more mainstream threat.”
The Govan-based company – which also has outlets in Tyneside and Northampton – believes its experience should serve as a wake-up call to all businesses to shore up their cyber defences.
It has gained Cyber Essentials accreditation—a standard endorsed by the UK Government – that will require audits of its network security, access controls, policies, and hardware configurations to ensure the safeguarding of critical data. Hutcheson also underscores the need for businesses to educate their staff on cyber security, not only in the workplace, but extending to their own, personal online activities, such as home banking.
Rearo has implemented a range of new measures, including multi-factor authentication and heightened password policies, as the company pivots toward the kind of comprehensive, cybersecurity practices it believes are essential for survival in the digital age. Hutcheson said: “After the pandemic, remote work became a norm and, with it, the landscape of IT security evolved. A renewed emphasis on data security is crucial. The skills required in this field are constantly evolving and organisations, especially SMEs, must invest in staying ahead of cyber threats.”
He added: “It’s also important for businesses to raise awareness about cyber security issues among their employees and customers. We are planning to provide cyber security training to staff, educating them about data protection, safe online practices, and the importance of securing their own digital lives.”