Data shows that web attacks are a daily phenomenon for online retailers, with businesses experiencing around 206,000 cyber-attacks per month. With techniques becoming increasingly sophisticated, retailers should be asking themselves not if but when they will be targeted by a cyber-attack.
One of the biggest challenges is that criminal behavior attempts to mirror that of ordinary shoppers to hide their activity. For example, attacks will often increase during the holiday season as well as around typical paydays.
There are three common goals of cyber-attacks targeting e-commerce:
- To steal debit/credit card information
- To take over a shopping session
- To gather personal ID information to perpetrate other fraud
We analyzed a sample of 4.9 million attacks on online retailers to find out the most common techniques used:
Account Takeover
Account takeover is the most widely occurring type of threat, accounting for 30% of all attacks. This is where the ‘attacker’ uses an automated process to test stolen user credentials against the authentication flow of a website. If successful, they access a victim’s account and change the recovery settings to lock them out of their own account. This enables the attacker to fraudulently order goods or services at the online retailer in question or use the acquired account data to attempt further account takeovers on other websites.
Bot Imposter
Bot imposters take second place, representing 24% of cyber-attacks. A bot imposter is a malicious web request that pretends to be a Google or Bing search bot. For search engines to integrate online retailers into their shopping functions, they need to crawl websites in search of pricing and inventory data. This is exactly the kind of data attackers are after with their bot imposters, as it allows them to quickly purchase scarce goods once back in stock to resell them for a higher price.
XSS
Cross-site scripting (XSS) (8%) is a so-called injection attack. This means that attackers inject malicious Javascript code into trusted content like a web application. When this data is executed by the end-user, it enables attackers to take over a users’ shopping card and have goods shipped to another location for resale.
SQLI
An SQL injection (SQLI) (8%) is another common injection attack. A successful SQLI allows attackers to interfere with the queries a web application makes to its database. This gives them access to sensitive data stored in the database, such as passwords and credit card details. It also enables them to modify and delete this data, causing changes to a web application’s behavior or content. Many high-profile data breaches in the past years have been the result of successful SQL injections.
"Many high-profile data breaches in the past years have been the result of successful SQL injections"
Backdoor Files
Although currently accounting for only 6% of attacks, backdoor files are the fastest rising attack mode. A backdoor file is an attempt to access backdoor tools installed on web applications or APIs. This provides attackers with “the keys to the kingdom” and enables them to introduce additional attacks into the retailer’s online environment.
Backdoor files are often delivered through malware that identifies and exploits weak security points. Having installed a backdoor file, attackers can gain free access to the entire system, opening up the possibility of data theft and server hijacking. This also opens up so-called distributed denial of service (DDoS) attacks – making web apps and APIs unavailable for legitimate users by overwhelming the technology with high request volumes or abusing specific functions and features of the application.
Four components for a solid web security strategy:
- Visibility: Retailers need to be informed about all activities taking place on their domain. This includes insights into granular web requests, the type of attacks that are attempted, when and where attacks occur and how attackers seek to exploit a web app or API.
- Integration: Providing feedback loops with actionable attack data as well as integrating security tools into common DevOps tools should be the norm. The only way to maintain a high level of security is to involve the specialists in operations from the beginning instead of treating security as an afterthought.
- Threat Detection and Mitigation: Executing automated rapid response to block attacks while allowing legitimate traffic to access web apps is critical for high-volume retail sites. Retailers have to make sure that their security solution can inspect and make decisions based on the intent of requests instead of just blocking a list of static IP addresses.
- Scalability: Utilize security technology that covers every platform and infrastructure in use by the company. Furthermore, make sure the third-party applications in use apply high security standards – an average webshop uses dozens of third-party apps, which attackers can potentially use as access points to the webshop.