In 2018, US Retailers experienced record breaking online revenue during the critical holiday shopping season with sales climbing 16% to $126 billion, compared to 2017.
With unemployment at generational lows, consumer confidence soaring, and shoppers continuing to shift online, there is reason to believe that records will be broken again in 2019. Preparations for the 2019 holiday season should be well underway by now, but it’s a good time to perform some final checks to ensure preparedness to withstand some common attack vectors.
Bots
The Commerce vertical sees more activity from bots than any other. In addition to all the bots scraping content for aggregation and price comparison purposes, Retail is the prime target for fraudsters and their bots.
Retail is the single largest target for bots conducting credential stuffing and account take over attacks. It’s a good idea heading into peak holiday season to pursue user education about password hygiene, and for defenders to look for ways to detect and disrupt malicious automation on logins.
Third Party Content on your website
The attack surface for modern web applications continues to evolve. The risks to the applications have shifted beyond first-party domains, to include third-parties serving content to the browser as part of the e-commerce portal. Attackers are working hard to compromise any third party that will allow them to inject their payment skimming JavaScript into websites.
The Retail & Hospitality ISAC (RH-ISAC), in concert with the Payment Card Industry, issued a bulletin in August describing these risks and more. The bulletin recommends site hardening, as well as detection, as ways to reduce the risk of form-jacking, payment skimming, and similar threats.
Holiday prep could also serve as an occasion to revisit your site’s Content Security Policy (CSP). According to Tala Security’s 2019 Web State of the Web Report, very few of the Alexa 1000 set an effective CSP policy, and fewer than half of these sites set HTTP Strict Transport Security, and fewer than 10% set Referrer or SubResource Integrity policies. Setting aggressive CSPs requires a great deal of vigilance and testing to prevent restriction of desirable functionality, but organizations could consider getting started by looking at some of the more straightforward settings like HSTS.
It is also advisable to step up detection to specifically monitor for these threats. PCI & RH-ISAC recommend monitoring PCI status of third party partners, as well as limiting access granted to third parties to least privilege required to perform their function. These attacks move quickly, so it would be worthwhile to closely monitor information sharing groups for up to the minute information as well as monitoring third party interaction on your site to detect any anomalies.
DDoS
In early October, Europol released its Organized Crime report. They found DDoS to be a top five threat emerging from organized crime, for which extortion was the most common motive. The 2018 holiday season was pretty calm in terms of DDoS extortion campaigns, but we have seen DDoS attacks targeting retailers during the peak holiday season.
Persistent attackers are always devising new schemes, as evidenced by the discovery of a new amplification DDoS vector in September. For an attacker looking to launch an extortion scheme, the critical holiday period is an opportune time, based on how important this period is for retailers.
It is recommended to update DDoS runbooks, and complete regular drills well before holiday configuration lockdowns, so you’re prepared for a worst case scenario.
With proper planning and vigilance from InfoSec teams, 2019 promises to be another successful and record breaking holiday season for the e-commerce industry. Folks working in this sector know that the industry has a particularly aggressive set of demands from the business, in order to maintain site performance, while remaining aware of the growing set of threats targeting the industry.
One final reminder for infosec is to keep a close eye on the performance penalty introduced by security controls, and ensure that they don’t interfere with the user experience.