Retailers — watch out for these seasonal sales cyber-threats
E-commerce holiday sales are expected to generate up to US$196 billion this season — a year-over-year increase of 25% to 35%, according to Deloitte’s annual forecast.
And rounding off a year of rampant crisis-time cyberattacks, hackers are ready to target the seasonal shopping frenzy to access customer information — the most valuable data for most attackers, according to Ernst and Young.
The rise of online shopping and working from home has created new vectors for attackers. In spite of increasingly advanced cybersecurity measures taken by retailers, disruptive cyber-attacks have become more common — according to Bloomberg, nearly 400 million customer records were exposed through attacks on retail companies in the last year.
With Black Friday sounding the bell for a seasonal e-commerce crescendo in the US and Europe — and Asia well in the midst of its own record monthly sales run — NordVPN shared four cyber-threats faced by the online retail industry.
# 1 | Magecart / E-skimming
Web-skimming, or Magecart, is an attack where malware infects online checkout pages to steal payment and personal information of shoppers. It’s a common type of attack in e-commerce and is attributed to 7 to 12 attack groups, who are behind the theft of millions of online shoppers’ credit card information.
Overall, there has been an average of 425 Magecart incidents per month in 2020. In many cases, attackers deploy social engineering tactics, such as sending shoppers a bogus promotion for a site. When shoppers respond to the fake offer, they enter their personal data on a page that is actually a skimming scam.
The Gocgle’s malicious campaign, which hit hundreds of shopping websites, demonstrates how hackers used Google’s legitimate tool for impersonation in order to compromise the code and steal valuable information.
In November 2019, US retailer Macy’s confirmed there was a credit card-skimming Magecart malware on its checkout and wallet pages just as the holiday shopping season approached. Macy’s indicated that the malware allowed a third party to capture customers’ data on the pages if they input their credit card information and clicked “Place order.”
# 2 | Third-party vendors
The fact that there are multiple third-party vendors that support online sales further exposes retailers to possible threats. Cybercriminals often target third parties because they’re the weak links in the supply chain. On average, e-commerce sites use 40 to 60 third-party tools and intend to add three to five new third-party technologies each year, amplifying the risks.
Outdated or fake plugins also add to the risk package. When used on companies’ websites, these compromised plugins can lead to the spread of malware.
# 3 | Open-source vulnerabilities
Open-source software uses code that anyone can view, modify, or enhance. And while it has been hugely valuable to e-commerce businesses, it also carries a number of cybersecurity challenges.
“Open-source software is popular because it is often free to use or can be modified to suit the individual needs of a business. But this popularity means that any vulnerabilities found in the code can be a massive problem across a huge number of websites. Add the changes COVID-19 has brought, and the problem has intensified even more. Companies should really start making technical improvements to their websites fast if they want to avoid a potentially catastrophic breach. If they continue using unpatched, open-source software with vulnerabilities, they’ll leave themselves open to attacks,” commented Juta Gurinaviciute, chief technology officer at NordVPN Teams.
Other security threats to e-commerce sites include phishing, ransomware, SQL injection, DDoS attacks, and cross-site scripting (XSS).
“The minute retailers see unusual traffic patterns, they should assume an attack designed to slow the site down, take it offline, or steal data is underway,” Gurinaviciute added.
How to protect your e-commerce site
E-commerce security is never a done deal. Threats and hacking methodologies evolve at an alarming rate, so maintaining awareness and a security-focused mindset is a key to staying secure. Layering multiple solutions for business security is one of the best ways to keep an online business safe against cyber-attacks.
Implement Zero Trust: It’s essential to enforce zero-trust solutions that restrict third parties to information the website has authorized them to access while blocking access to consumers’ private and payment information, also known as “least privilege.”
View your site as a customer: Too many businesses only see their website as it appears on the server-side, instead of viewing it from the customer’s browser perspective. The browser page is what customers “see” when they shop, and these pages are subject to compromise. Therefore, you need to assess what you’re doing to protect your pages once they leave the webserver.
Bonus: implement firewalls (including web application firewalls), making sure the connection is secure and passwords are strong, implementing multi-factor authentication, using intrusion detection systems, and constantly monitoring and updating web platforms.