E-commerce holiday sales are expected to generate between $182 billion and $196 billion this season — a year-over-year increase of 25% to 35%, according to Deloitte’s annual forecast. According to the Global Information Security Survey by Ernst and Young, customer information is the most valuable type of data for most attackers. The threat to cybersecurity and privacy is increasing: about 6 in 10 organizations (59%) have faced a significant incident in the past 12 months, and 48% of executive boards believe that cyber attacks and data breaches will more than moderately impact their business in the next 12 months.
The rise of online shopping and working from home has created new vectors for attackers, so security professionals need to guard against new threats carefully as they emerge. NordVPN Teams highlights 3 threats retailers have to watch out for.
1. Magecart / E-skimming
Web-skimming, or magecart, is an attack where malware infects online checkout pages to steal payment and personal information of shoppers. Magecart is a very common type of attack in e-commerce and is attributed to 7 to 12 attack groups, who are behind the theft of millions of online shoppers’ credit card information.
Overall, there have been an average of 425 Magecart incidents per month in 2020. In many cases, attackers deploy social engineering tactics, such as sending shoppers a bogus promotion for a site. When shoppers respond to the fake offer, they enter their personal data on a page that is actually a skimming scam.
The Gocgle’s malicious campaign, which hit hundreds of shopping websites, demonstrates how hackers used Google’s legitimate tool for impersonation in order to compromise the code and steal valuable information.
In November 2019, Macy’s confirmed there was a credit card-skimming Magecart malware on its checkout and wallet pages just as Black Friday and the holiday shopping season approached. Macy’s indicated that the malware allowed a third party to capture customers’ data on the pages if they input their credit card information and clicked “Place order.”
2. Third-party vendors
The fact that there are multiple third-party vendors that support online sales further exposes retailers to possible threats. Cybercriminals often target third parties because they’re the weak links in the supply chain. On average, e-commerce sites use 40 to 60 third-party tools and intend to add three to five new third-party technologies each year, amplifying the risks.
Outdated or fake plugins also add to the risk package. When used on companies’ websites, these compromised plugins can lead to the spread of malware.
3. The increased danger of open-source software vulnerabilities
Open-source software uses code that anyone can view, modify, or enhance. And while it has been hugely valuable to e-commerce businesses, it also carries a number of cybersecurity challenges.
“Open-source software is popular because it is often free to use or can be modified to suit the individual needs of a business. But this popularity means that any vulnerabilities found in the code can be a massive problem across a huge number of websites. Add the changes COVID-19 has brought, and the problem has intensified even more. Companies should really start making technical improvements to their websites fast if they want to avoid a potentially catastrophic breach. If they continue using unpatched, open-source software with vulnerabilities, they’ll leave themselves open to attacks,” comments Juta Gurinaviciute, Chief Technology Officer at NordVPN Teams.
Other security threats to e-commerce sites include phishing, ransomware, SQL injection, DDoS attacks, and cross-site scripting (XSS).
“The minute retailers see unusual traffic patterns, they should assume an attack designed to slow the site down, take it offline, or steal data is underway,” the NordVPN Teams expert adds.
How to protect your e-commerce site
E-commerce security is never a done deal. Threats and hacking methodologies evolve at an alarming rate, so maintaining awareness and a security-focused mindset is the key to staying secure. Layering multiple solutions for business security is one of the best ways to keep an online business safe against cyber attacks.
- Implement Zero Trust. It’s essential to enforce zero-trust solutions that restrict third parties to information the website has authorized them to access while blocking access to consumers’ private and payment information, also known as “least privilege.”
- View your site as a customer. Too many businesses only see their website as it appears on the server side, instead of viewing it from the customer’s browser perspective. The browser page is what customers “see” when they shop, and these pages are subject to compromise. Therefore, you need to assess what you’re doing to protect your pages once they leave the web server.
- Bonus: implement firewalls (including web application firewalls), making sure the connection is secure and passwords are strong, implementing multi-factor authentication, using intrusion detection systems, and constantly monitoring and updating web platforms.Read the latest edition of PCR’s monthly magazine below: