Every year we hear about how the holiday shopping season is set to break all previous records. According to recent data from the National Retail Federation, 2021 will be no different, with sales in the United States expected to grow by 10% compared to last year’s figures, reaching $859 billion, excluding car dealerships, gas stations and restaurants. It’s just too big for cybercriminals to ignore.
As retailers have spent months preparing their supply chains and stocking their shelves to meet this growing demand, I can’t help but ask: what have they done to strengthen their cybersecurity posture?
To answer this question, let’s look at two of the most effective and widely used website attacks used by cybercriminals to steal from e-commerce businesses:
Web supply chain attacks
In the fallout from the SolarWinds attack, there has been an unprecedented push to improve the security of global software supply chains. A big driver of this push has been the White House Executive Order May 2021 on improving the security posture of the United States. The executive order itself is pretty clear as to why this is an urgent matter. “Commercial software development often lacks transparency, sufficient focus on the software’s ability to resist attack, and adequate controls to prevent tampering by malicious actors,” it reads.
E-commerce sites are particularly prone to web supply chain attacks, as evidenced by a long history of Magecart Web Skimming Attacks who breached companies such as British Airways, Macy’s, Ticketmaster and Newegg. Attackers take advantage of e-commerce sites’ exposure to third-party vendors; on average, each site operates 35 third-party services. That’s almost three dozen weak links that need to be strengthened.
By breaching one of these third-party vendors and injecting a malicious payload into one of their services (conceptually similar to SolarWinds), attackers can breach thousands of websites at once. These attacks can leak credit card data and personally identifiable information and often go undetected for months.
A IBM report reports that the average cost of data breaches in retail rose 63% in 2021 alone, fueled in part by digital transformation and remote working. Overall, a strong indicator that data leakage is still one of the most common targets for attackers targeting e-commerce businesses.
In today’s highly competitive e-commerce landscape, every retailer is fighting an uphill battle to hold customers’ attention and interest. An online shopper’s attention span is short, so retailers have spent years meticulously optimizing their web pages to improve user experience and maximize conversion rates.
However, these carefully optimized conversion flows are often disrupted by external factors. A common client hijacking attack occurs through user-installed browser extensions or comparison shopping tools. These display price comparison pop-ups, coupon codes, and similar information right on the page the user is browsing. Clicking on it usually takes the user to a competitor’s website and away from the original site they are browsing.
Our own internal research shows that approximately 5% of user sessions on an e-commerce website are affected by this type of hack. As part of a global retailer, this can add up to millions in lost revenue per year (much of it during the holiday shopping season). And if we take it in the context of expected online spending this holiday season, that’s $42.95 billion at stake.
Another example of customer hijacking involves the compromise of a website component (which can occur as a result of a supply chain attack). There have been cases where such a compromise is used by attackers to deliver malware to users directly through the e-commerce site (like what happened to Equifax and Trans Union in 2017). Not only does this completely disrupt the user experience, but it compromises the image and reputation of the brand.
Bridging the Security Gap
Although the tactics, techniques and procedures used in these attacks are quite different, they both stem from the same obvious security flaws: lack of visibility and control over what is happening on the client side (i.e. everything happens on the user’s browser or device).
Right now, there are likely thousands of e-commerce sites leaking data to attackers and disrupting the user experience for shoppers without any knowledge of the companies being attacked. This happens because these companies have failed to go beyond traditional security approaches (such as using a web application firewall) and have not implemented security controls. appropriate on the client side.
To gain this visibility, companies can take a quick and easy first step: look for signs of malicious behavior in every user session, such as a third-party component attempting to tamper with a payment form or a browser extension displaying a pop-up advertisement. . But visibility is only half the battle. Businesses should take extra steps and use technology that can block the source of this behavior, effectively preventing web supply chain attacks and customer hijacking.
In the holiday shopping rush, with record numbers of people expected to shop online, it’s crucial that retailers adopt the proper security checks. Both of these attack vectors can and should be addressed. Failure to do so can result in a record-breaking feeding frenzy for cyberattackers.
So what have retailers done to address these complex cybersecurity threats? It’s hard to say for sure, but let’s hope the answer isn’t “Not enough”.