‘Tis the season to be shopping, and holiday shopping sales break record after record, year after year. In 2018, Black Friday revenues increased by 23% as the holiday raked in $6.2 billion, and Cyber Monday hit $7.9 billion, reaching a 20% increase, which officially makes it the biggest online shopping day in the US. These records are just as impressive on a global scale, which makes sense, considering that shoppers around the world are highly familiar with the discounts and special offers and wait to make large purchases during those days.
But shoppers and retailers are not the only ones excited for the holiday shopping celebration. Billions of dollars spent by consumers worldwide create an incentive for hackers that is stronger and more dangerous than ever. According to Carbon Black, there was a 57.5% increase in attempted cyberattacks during the holiday season of 2017. One year later, in 2018, researchers found no less than 6,000 malicious apps that were masked as Black Friday and Cyber Monday special offers by leading retail brands.
To avoid appearing on hackers’ holiday wish-list, here are a few important aspects to consider.
What kind of attacks can we expect to encounter?
Hackers like to try different methods, but here are some of the most popular ones:
Magecart: Magecart hackers implement malicious code in order to skim websites and their 3rd party partners. The code collects data during checkout, for instance, while the website itself continues to operate uninterrupted, leaving hackers with a lot of valuable data.
Formjacking: This is a specific form of Magecart, in which hackers focus on online payment forms to steal data and, subsequently, assets. The malicious code is injected into the payment forms and again, goes undetected – in some cases for a long period of time.
JavaScript Sniffing or online POS: In the physical world, POS (point-of-sale) attacks include skimming devices that are attached to ATMs or gas pumps in order to steal credit card data. The online version of that replaces these devices with a few lines of code that are injected into the website. Like Magecart and Formjacking attacks, they are difficult to identify and can be implemented through 3rd party code.
On-Site Phishing: Using malicious JavaScript to create a fake checkout form replacing the websites original form. This is usually done on websites that will host the checkout form on a secure iframe, thinking this will protect their user’s data.
The above attacks are not unique to the holiday season, as they take place on a daily basis all year round. Global events such as Black Friday and Cyber Monday increase the volume and frequency of each type of attack.
What makes eCommerce websites more susceptible to such attacks?
First, eCommerce websites are an obvious target for hackers during holidays because the majority of transactions take place online, and hackers are likely to focus on such websites planning for big rewards.
Second, eCommerce websites are built in a way that incorporates many 3rd party tools, which are meant to improve customer experience and help website owners offer more capabilities without having to develop every feature on their own. Such features may include analytics, chat, payment processing, ads, and more. Unfortunately, this also exposes users to malicious or simply poorly protected collaborators. The more websites increase their usage of external code provided by 3rd parties, the more they expose their customers to attacks on their data.
What are the potential implications of such attacks?
The negative consequences of a hacked eCommerce website are endless. Here are a few that should be taken into consideration:
- Mitigation costs: Hiring extra help or shifting focus to manage the attack costs a lot of money. It also takes away from other projects that the website’s development team could and should have been promoting during that time. If the site was down during the time it took to get everything fixed, even more revenue was lost.
- Lost sales: Chances are that hacked customers will never return to the website to make another purchase. Considering the fierce competition out there, these customers will find a new home with the website’s competitors rather quickly.
- Legal fees: Customers who suffered due to an unsecured website might decide to sue, causing the website’s owners to spend a lot of money on legal proceedings, in addition to damage, if applicable. A recent British Airways attack has led to a ~$203 million fine, so there are regulations to consider as well.
- PR management: A hackers’ attack might lead to very bad publicity, causing a PR crisis that influences future revenue and costs money to manage.
To learn more about the real impact hacking can have on your bottom line, check out our detailed post right here.
What can eCommerce brands do to protect and prepare their website for Black Friday and Cyber Monday?
The first and most important thing to do is raise awareness levels by reading articles such as this one. For further reading, visit our blog and learn about the 7 pointers worth paying attention to for the ultimate Magecart and Formjacking protection. Make sure to stay up to date and educated on the latest attacks and methods.
Second, consult with experts and conduct a thorough audit to see if your website and any 3rd party features meet the necessary security standards. Discover weak spots on your website which could demand some extra attention. There are a few protection approaches to combine or choose from. Here is a brief overview of these alternatives, to get you ready for such a discussion:
- Content security policy (CSP): Forming a whitelist of approved domains to determine which 3rd party code will be included on the website. CSP usage often limits website functionality and agility levels.
- Subresource integrity: Asking suppliers to provide their code in advance and studying it in ways that detect unwanted changes. This solution might fail to prevent 4th party attacks and can also limit website functionality.
- Application security testing: Carefully testing each line of code to alert of any suspicious behavior. This solution is not recommended as protection against Magecart attacks and 3rd party tools.
- Real-time JavaScript Sandboxing: Based on predetermined guidelines, the web server monitors and manages every interaction between each direct or 3rd party tool and the browser in a secured environment. while the website continues to work uninterrupted.
Holidays present a wonderful opportunity for eCommerce websites, just as long as they come prepared. This year, don’t let hackers rain on your parade and prepare both your stock and your security measures to offer customers the best deals under the most secure conditions.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
