With hackers’ techniques becoming more complicated, their methods more advanced, and cybercrime growing at an exponential rate, one thing remains the same: e-commerce businesses are the main targets for cyber attacks. The retail industry is now experiencing more breaches than any other industry as intruders deploy advanced and more destructive hacking methods to target the vast assets. From financial fraud and compromised customer data to huge reputational losses and leaked trade secrets – a data breach can ruin the reputation and dig into crisis even a large e-commerce business.
For instance, eBay, one of the biggest online auction websites, announced that unknown hackers stole emails, encrypted passwords, mailing addresses, birth dates, and other customers related information in a massive breach carried out in 2014. Even though the stolen files did not contain financial or credit card information, the incident negatively affected the company’s reputation. If such giants as eBay with millions invested in security are vulnerable, let alone small retailers that are often thornless in the teeth of hackers.
Taking this into account, online entrepreneurs have to strengthen their security maturity to protect their business and customers, as well as to keep to a minimum the cost of cyber attacks, if any. The first step to build an impenetrable wall around your company protecting it for external threats is understanding your enemies. Knowing the main security threats e-commerce businesses may face will help retailers to develop robust strategies to mitigate them.
Many e-commerce website owners don’t treat this kind of attack seriously considering it “old-fashioned”. How wrong they are! Ignoring this threat may result in millions in lost revenue, not to mention the reputational damage due to lingering downtime and bad PR for a company. According to a report from Kaspersky Lab, about 30% of the DDoS victims suffered downtime between 1 day to several weeks. Besides, in some cases, small DDoS attacks can be a cover for more serious data breaches. The same research shows that sensitive data is also lost as a result of approximately 26% of DDoS attacks.
DDoS attacks aim to disrupt websites by flooding the servers with lots of requests until it consequently crashes. Cybercriminals utilize some specific applications, say, Low Orbit Ion Cannon (LOIC) to overload the victim’s server with TCP, UDP, HTTP packets making it unable to serve legitimate requests.
Establishing strong protection against DDoS is essential for every business. For instance, the German food delivery service Lieferando found itself in an awkward situation. After their server was wronged by the attack, they could accept orders but couldn’t process them and had to return money to the customers. Besides, the hackers damaged 2 BTC to halt the DDoS.
DDoS protection techniques include:
- minimizing attack surface area by placing computation resources behind CDNs or Load Balancers and restricting traffic to certain parts of the infrastructure, for example, database services. As well, e-commerce companies can reduce the possible points of attack by using firewalls or ACLs to monitor and control what kind of traffic reaches their apps.
- Implementing CDNs and smart DNS resolution services to deliver an additional layer for resolving DNS queries from locations and serving content.
Being a kind of financial fraud, ransomware has grown to become a full-scale business for some ill-minded people. This threat can be devastating to both individuals and organizations. Thus, Trend Micro released a report on the threat of ransomware where they discovered that the attacks costed e-commerce companies about $200,000,000 in the first three months of 2017. As far as this attack doesn’t require solid coding skills, the number of companies affected is growing exponentially. When it comes to e-commerce businesses, this attack can put online stores out of commission. Given that downtime can spell death to online retail, the scale of the problem can be huge.
There are two common ways of ransomware spreading:
- Through phishing emails
- By unknowingly visiting an infected site.
Once the victim opens up a spam email with malware attached to it, the infection is spreading across the computer system and encrypt data locking it out. As a result, the victim can’t get access to the locked files or system until the demanded ransom is paid. Below you can see a typical example of ransomware message.
Data recovery is both very difficult and expensive process that requires the service of an experienced recovery specialist. it is fair to say that some companies prefer to pay ransom to recover the files. However, in this case, it makes no sense to rely on hackers’ honesty. There is no guarantee that the victim will get the promised decryption key after the demanded money has been handed over. Besides, paying a ransom doesn’t prevent cyber criminals from attacking again with the ransom demand being higher than the previous one. Moreover, by doing what hackers want, companies encourage this business model and put other organizations at risk.
The good news is that there are few things business owners can do to prevent the consequences of this attack. Among those things are:
- Proper employee education
- Employing updated anti-malware software
- Regular backups.
Protecting your e-commerce business against SQL injections (SQL stands for Structured Query Language) should be an integral part of your security checklist. Databases of sites and applications are the main targets for this attack. As e-commerce websites, regardless of the CMS used, require personal and payment information to complete a sale, they are bonne bouches for hackers. Intruders leverage loopholes in the back-end to insert a query with embedded malicious code. The malicious query is treated as valid and executed. Once it is executed, the intruder gains full control over the victim’s database.
According to our practice, there are three rooms for SQL-injections to penetrate a website:
- known bugs in a CMS (if it hasn’t been updated on time)
- known bugs in installed third-party modules. Installing security patches ASAP is the only way to prevent known bugs in your store.
- security loopholes in custom code that occur due to a ham-handed developer. Carrying out regular security checks with the help of automated testing tools can help you identify and fix the bugs in code.
SQL-injections may have a destructive influence on online retailers. According to Verizon’s report, SQL-injections were used in 80% of the attacks against retailers’ web apps. For instance, a critical flaw was detected in Magento, the most popular platform for e-commerce websites. The flaw named PRODSECBUG-2198 has put above 300,000 online stores at risk. So if you are an owner of the website run on Magento, we recommend exploring a Magento security guide to understand all the ways to secure your business and keep your data safe and sound.
- Malicious Bots
Malicious bots are basically self-propagating software that is developed to perform certain tasks and report the information to their botmaster. There are a plethora of types of malicious bots but regardless of the type, they act in the same manner. The bots are scanning websites for security vulnerabilities and make use of them to either perform a fraudulent activity or report this information to the botmaster.
Thus, bad bots can abuse credit or gift cards, steal data, perform DDoS attacks overloading the server with large volumes of requests, send spam, skew the results of a commercial ad campaign, swoop up high-demand products, or carry out other activity. That is why protecting your e-commerce website against bad bots attacks is a must.
However, bots are almost impossible to be detected and distinguished from the activity performed by a human being. They are professionally simulating human behavior and acting slowly so as not to raise flags.
Store owners can apply some techniques to ensure sufficient protection:
- Installing a server firewall that is a set of filters based on user-defined rules. The firewall is intended to allow legitimate traffic and block illegitimate ones. Once a traffic packet is identified, it will be subjected to the rule configured for the firewall. So, if you’ve noticed that malicious bots are coming from a specific country, say, China or Russia, you can block all IPS from these locations with a firewall rule.
- Using a reverse proxy with robust built-in bot management tools (for example, Cloudflare). Once malicious bots are detected by AI-powered algorithms, they are dismissed without blocking good bots or impacting the UX.
- Cross-Site Scripting (XSS)
XSS can affect both small and large companies. Cross-site scripting is considered to be the #1 web attack on online stores, ahead of DDoS and SQL-injections. As per the latest stats, XSS is responsible for over 31% of all cybercrime. For instance, eBay, the e-commerce giant, has been victimized by hackers. They injected a JS code into some listings for low-priced smartphones, which redirected visitors toward a fake page designed to compromise users’ credentials.
These attacks occur when a hacker uses an application to deliver malicious code in the form of a browser side script to an end-user. The fact is that vulnerabilities that allow XSS are widespread and can take place anywhere on the web.
The major target of an XSS attack is authentication user information: names, emails, mailing addresses, tokens, passwords. Once an intruder knows the data, they can leverage the users’ accounts to the greatest possible extent. For example, they can use the credit card number that linked to the store to make fraudulent orders. When a criminal logs in to the system, it becomes almost impossible to distinguish the activity performed by the hacker from the real user’s activity.
Protecting your business from XSS scripting is of great importance. The website security is so vital that Google is ready to pay $10,000 within their reward program to the developers who are able to find an XSS vulnerability.
In the highly competitive e-commerce world, business owners have to do everything possible to stay afloat. With the onrush of technologies and IT innovations, threats from hackers and online fraudsters are posing a bigger risk to e-commerce businesses and retailers than ever before. In this scenario, they need to invest in the cybersecurity scope as much as they invest in marketing, sales, or customer support.