Hackers and their techniques are constantly changing becoming both more advanced and destructive but one thing remains the same: e-commerce websites are the primary target for cyberattacks.
From compromised customer data and financial fraud to leaked trade secrets and ruined customer trust, a data breach can quickly dig into crisis even a prosperous company.
While online retailers make use of innovative technologies to boost their businesses and make their stores more advanced, hackers take advantage of those improvements too in order to penetrate a system and get access to data.
The stats are intimidating: according to a VMWare Carbon Black report, attempting cyberattacks against online retailers increased by 20% during the holiday season last year. Besides, more than half of the companies surveyed claimed that they are going to increase cybersecurity staff in 2021.
Given this, online entrepreneurs have to build on their security maturity to protect both their businesses and customers, as well as minimize the cost of a data breach, if any. The first step is understanding the security threats e-commerce websites may face in 2020 that will help retailers to develop the right strategies to mitigate them.
DDoS attacks
Many business owners consider DDoS attacks as “old-fashioned” and don’t treat them seriously. However, ignoring this threat can cost companies millions in lost revenue. Needless to mention the reputational damage including losing customers’ trust and bad PR for the companies. Besides, sometimes small DDoS attacks mask deleterious security breaches.
DDoS attack aims to disrupt a website by flooding its servers with numerous requests until the site consequently crashes. Hackers leverage of Low Orbit Ion Cannon (LOIC) and other applications to overload the victim’s server with UDP, TCP, HTTP packets.
Most commonly, DDoS manifests itself during peak sales periods (seasonal sales or Black Fridays). As such, it is reported that DDoS attacks on e-commerce providers ramp up over 70% on Black Fridays.
Ransomware
Ransomware is basically a kind of financial fraud that has become very popular in recent years and turned out to be a full-scale business for ill-minded people. Since this attack can be executed without solid coding skills, the number of e-commerce organizations affected by ransomware is constantly growing.
In a ransomware attack, a victim usually gets an email with malware attached to it. Once the victim opens up the email, the infection spreads across the system to encrypt or lockout the data. As a result of this attack, the victim can’t get access to important files or documents until they pay a ransom that has been demanded by the hacker. The ransom is asked in Bitcoins to make the hacker’s personality difficult to identify.
Apart from the money business owners are asked for to regain access to their systems, there are other direct consequences of becoming a ransomware victim. As far as e-commerce stores are concerned, this attack can put online shops out of commission for a long period. Taking into account that downtimes can spell death to e-commerce businesses, the scale of the problem can be huge.
SQL-injections
Protecting your e-commerce website against MySQL-injections should be part of your site security checklist. The prime target of the attacks is databases of web apps and sites. Hackers benefit from loopholes in back-end to insert and execute malicious code included in the query. Once the malicious query is treated as valid and executed, a hacker gains control over the victim’s database.
In fact, MySQL-injections have three rooms to penetrate your database:
- known bugs in your e-commerce platform;
- known bugs in third-party modules;
- security vulnerabilities in custom code.
MySQL-injections can have a destructive effect on online stores. For instance, in 2019, a critical SQL vulnerability was discovered in Magento, one of the most popular platforms for e-commerce websites. PRODSECBUG-2198 (the vulnerability) has put more than 300,000 online stores at risk of credit card-skimming attacks. If you are a Magento-based website owner, we recommend reading a Magento security guide to learn the way to secure your store and keep your customer data safe and sound.
Phishing
Phishing is a kind of hacking technique that uses mass-mailing to trick people into clicking on infected links or revealing their private information when entering their data to a fake page. Hackers have multiple tricks to force customers and businesses to jump at the bait:
- fake emails and phone calls;
- fake checkout pages;
- PayPal accounts suspension;
- URL modifications;
- embedded malware.
According to the recent phishing statistics, nearly 76% of businesses were victimized by the attack in 2018.
Phishing affects not only the users but also online businesses, ruining the trust relationship between them.
Malicious Bots
Bad bots are relatively new self-propagating malware that is developed to perform certain tasks. They operate in the following manner: bots scan websites for security vulnerabilities and make use of them either to report this information to the botmaster or perform a fraudulent activity. Besides, as a result of a bad bots attack, server infrastructure can be overloaded and server costs may run high. Therefore, bot protection should be an integral part of your security strategy.
The most challenging thing about bad bots is that they are hardly distinguishable from natural human activity. The latest generation endows with human-like interaction characteristics that accurately mimic real visitor’s behavior.
In order to ensure sufficient store protection against malicious bots, you can apply several methods:
- Install a server firewall that blocks illegitimate traffic.
- Set up firewall rules for Nginx. The firewall rules are a set of filters that allow your server to determine which packets are allowed and restricted to go through the firewall. If, say, you’ve noticed that some strange traffic is coming from a certain location, you can block all IPs from this country with a firewall rule.
- Use a reverse proxy (for example, Cloudflare).
Brute Force Attacks
Brute Force Attacks target online store admin panels in an attempt to figure out passwords to gain administrative access to the sites.
The typical example of this kind of threat is a password guessing attack, where intruders check every possible combination of figures, letters, symbols trying to crack an admin password until they manage to find the correct pattern. With modern technologies, this process has become easier. By using bots, hackers can automate password guessing as far as they can input different combinations much faster than a human could.
Recently, Alibaba, one of the most famous e-commerce platforms, was the subject of a massive brute force attack resulted in the compromisation of up to 21 million accounts over two months. For this purpose, hackers used a database of more than 99 million usernames and passwords.
Standard defense methods against a brute force attack include:
- Enforcing strong, unique passwords.that are different from a default one.
- Limiting the frequency of login attempts to an admin panel from a single IP.
- Hiding both the admin and customer login pages.
- Applying two-factor authentication or other forms of verification.
Cross-Site Scripting (XSS)
Cross-site scripting can affect e-commerce companies of all sizes. Even such a giant as eBay became a victim of this kind of attack. Hackers injected a JavaScript code into several listings for cheap iPhones, which redirected users toward a fake page created to compromise their credentials.
The main XSS target is authentication user information: tokens, names, email addresses, passwords. Once a hacker gets access to this data, they can make use of the user’s account to its full extent. For instance, if an intruder knows the customer’s credit card number that linked to the e-commerce website, they can use it to make fraudulent orders or change the shipping address forwarding the order to the wrong place.
As such, once a cybercriminal logs in to the website system, it is almost impossible to differentiate the real user’s activity from the activity performed by the hacker.
XSS is considered to be the number one web attack, ahead of SQL-injections and DDoS. According to the latest research, cross-site scripting is responsible for over 31% of all web attacks.
It is acknowledged that XSS is not only a user’s problem but also it affects your business. Instead of targeting the user, hackers can use cross-site scripting to deface the website. Thus, the injected script can be used to redirect the browser to a fake page that contains malicious code or to change the content on the website.
Protecting your business from XSS is of critical importance. Even Google is ready to pay $10, 000 to the developers who can detect an XSS vulnerability within their reward program.
Summarizing
It would not be an exaggeration to say that today’s world is in the midst of a cybersecurity arms race. With the onrush of technologies, threats from online fraudsters and hackers are presenting a bigger danger to e-commerce businesses and user safety than ever before.
To secure their online stores against cyberattacks, business owners must invest in this scope as much as they invest in other business-related fields such as marketing, sales, or customer service.
