US retailers are more vulnerable to web application attacks than those based in the EU, according to Outpost24’s 2020 Web Application Security for Retail & E-commerce Report. The cybersecurity firm calculated that web apps used by US retailers had an aggregated average risk score of 35, which compares to 31 for their EU counterparts.
Retailers in the US were found to have a wider attack surface, running more publicly exposed web apps (3357) compared to those in the EU (2799). Despite this, retailers in the EU had a higher proportion of applications using old components that contained vulnerabilities (27%) compared to those based in the US (22%).
The biggest single attack vector for both US and EU retailers was security mechanisms, with risk exposure scores of 99 and 90.5 recorded, respectively, according to the report. The researchers noted that the use of HTTP websites and unrestricted access to unsecured areas of the site without encryption would contribute to a higher attack surface score.
This was followed by active content, with risk scores 88 or above calculated for both US and EU retailers. This looked at how web applications were running scripts. The third highest attack vector was degree of distribution, for which all retailers analyzed had scores above 77.9. Outpost24 said this is due to the difficulty in securing every one of the high number of product pages commonly found on large e-commerce sites.
The study also found that a high proportion of retailers (90% of EU and 50% of US) are currently running outdated jQuery versions on their apps, which may expose them to common cross site scripting attacks.
Nicolas Renard, security analyst at Outpost24, commented: “Hackers are masters of reconnaissance and will go to great lengths to identify weak spots in their target. The rather high risk exposure score among the top retailers is a worrying trend, as bigger attack surfaces create more opportunity for bad actors to find holes in security defense and execute potential exploits.”
Online retailers’ security has become increasingly important in the context of the huge shift to e-commerce this year as a result of the COVID-19 crisis, with online shopping a more lucrative target for cyber-criminals. For instance, it was revealed that nearly 2000 e-commerce stores running the popular Magento software were attacked over a single weekend in September.