4 cyber threats are coming to an online store near you
Ecommerce holiday sales are expected to generate up to US $ 196 billion this season, a 25-35% increase year-over-year, according to Deloitte’s annual forecast.
And after a year of rampant cyber attacks in times of crisis, hackers are poised to target the holiday shopping spree for access to customer information – the most valuable data for most attackers, according to Ernst and Young. .
The rise of online shopping and working from home has created new vectors for attackers. Despite increasingly advanced cybersecurity measures taken by retailers, disruptive cyber attacks have become more common – according to Bloomberg, nearly 400 million customer records have been exposed in attacks on retail businesses in the past year.
As Black Friday rang the bell for a seasonal e-commerce crescendo, NordVPN shared four cyber threats facing the online retail industry.
# 1 | Magecart / E-skimming
Web skimming, or Magecart, is an attack where malware infects online payment pages to steal payment and personal information from buyers. This is a common type of attack in e-commerce and is attributed to 7-12 attack groups, which are responsible for the theft of credit card information from millions of online shoppers.
Overall, there was an average of 425 Magecart incidents per month in 2020. In many cases, attackers deploy social engineering tactics, such as sending buyers a bogus promotion for a site. When buyers respond to the bogus offer, they enter their personal details on a page that is in fact a skimming scam.
Gocgle’s malicious campaign, which hit hundreds of commercial websites, shows how hackers used Google’s legitimate identity theft tool to compromise code and steal valuable information.
In November 2019, Macy’s confirmed that there was Magecart malware to skim credit cards on its payment and wallet pages just in the run-up to Black Friday and the holiday shopping season. Macy’s said the malware allowed a third party to capture customer data on the pages if they entered their credit card information and clicked “Place Order.”
# 2 | Third party providers
The fact that there are several third-party vendors that support online sales further exposes retailers to potential threats. Cybercriminals often target third parties because they are the weakest links in the supply chain. On average, e-commerce sites use 40 to 60 third-party tools and plan to add three to five new third-party technologies each year, amplifying the risks.
Outdated or bogus plugins also add to the risk bundle. When used on corporate websites, these compromised plugins can lead to the spread of malware.
# 3 | Open source vulnerabilities
Open source software uses code that anyone can view, modify, or improve. And while it has been extremely valuable for e-commerce businesses, it also comes with a number of cybersecurity challenges.
“Open source software is popular because it is often free or can be modified to meet the individual needs of a business. But this popularity means that any vulnerability found in the code can be a major problem on a large number of websites. Add in the changes brought on by COVID-19 and the problem escalated even further. Companies really should start making technical improvements to their websites quickly if they are to avoid a potentially catastrophic breach. If they continue to use unpatched open source software with vulnerabilities, they will be vulnerable to attack, ”commented Juta Gurinaviciute, CTO at NordVPN Teams.
Other e-commerce site security threats include phishing, ransomware, SQL injection, DDoS attacks, and cross-site scripting (XSS).
“As soon as retailers see unusual traffic patterns, they should assume that an attack designed to slow the site down, take it offline or steal data is in progress,” Gurinaviciute added.
How to protect your e-commerce site
Ecommerce security is never a done deal. Threats and hacking methodologies are evolving at an alarming rate, so maintaining a security awareness and mindset is critical to staying safe. Layering multiple solutions for business security is one of the best ways to protect an online business from cyber attacks.
Implement Zero Trust: It is essential to apply zero-trust solutions that restrict third parties to information to which the website has granted them access while blocking access to consumers’ private and payment information, also known as’ lesser ‘. privilege ”.
View your site as a customer: Too many businesses only see their website as it appears on the server side, instead of seeing it from the perspective of the customer’s browser. The browser page is what customers “see” when they buy, and those pages are subject to tradeoffs. Therefore, you need to evaluate what you are doing to protect your pages once they leave the web server.
Premium: implement firewalls (including web application firewalls), ensuring connection is secure and passwords strong, implement multi-factor authentication, use detection systems intrusion and continuously monitor and update web platforms.