Posted by Trevagh Stankard on Thu, Jan 28th, 2021
The growth of online retailers is followed closely by the acceleration of cyberattacks. Unlike a lot of traditional B&M stores that were forced to close during the Covid-19 pandemic, online retail has experienced a boom. Whilst the World Economic Forum reported that the move to stay at home resulted in a decrease in the virus number, researchers at Salesforce showed that global digital sales grew by 36%, year-on-year, to December 2020.
As expected, cybercriminals are ‘following the money’ with the result that the retail industry is seeing an uptick in cyber-attacks as online transactions soar.
The Cyber-Threat Landscape and the Online Retailer in 2020
Online retail is predicted to experience a staggering £5.9 billion ($8.1 billion) worth of losses each year because of cyber-attacks. And according to a recent Ponemon study, a cyber-attack affecting an online retailer, costs, on average, over $2 million.
Cybercriminals use several methods to target vulnerable e-commerce sites, these include:
Web Application Attacks
Online retail is the go-to target for many web-borne cyber-attacks. The 2020 Verizon Data Breach Investigations Report (DBIR) revealed that in 43% of all data breaches, web applications were the target. As 2020 panned out, there was an increase of around 800% in web application-based attacks. The most common attack types on web applications include remote code execution, data leakage, and cross-site scripting (XSS).
Credential stuffing and Online Retail
Credential stuffing uses previously stolen login credentials in an attempt to take over an account. Akamai, a vendor that keeps watch on credential stuffing attacks, found that the retail sector was the most targeted for this form of attack. Attack detections in the commerce category of the report hit 64 billion credential stuffing attempts between 2018 and 2020. The retail sector accounted for around 90% of all such attacks in the category.
Denial of Service (DDoS)
A DDoS attack uses (often) thousands of ‘bot’ infected devices to send out malicious traffic to target websites. These ‘bot’s, aka malware, are specifically designed to overwhelm a website/webserver and cause it to crash. Amazon Web Services (AWS) was hit with the largest DDoS attack in history during 2020. The cyber-attack affected thousands of retailers, dependent on online sales to maintain their business during the pandemic.
Events and phishing
Cybercriminals love an event. By focusing their campaigns on big calendar happenings in the retail world, hackers can use social engineering tricks to create successful phishing campaigns. In the run-up to Black Friday 2020, a surge in phishing attacks related to the event were detected. A Check Point report found a 13X increase in phishing emails in the six weeks to Black Friday. The rate of phishing in November 2020, was around one in every 826 emails delivered, compared to less than one in 11,000 at the start of October. Check Point explains the likely reason for the increase are cybercriminals capitalizing on people staying at home and shopping online.
API Attacks
The world of retail is increasingly dependent on API calls to find out information, check customer identity, and perform transactions. But APIs are a potential weak spot in terms of security. Attacks on retail APIs, during 2020, far exceeded the levels of attacks in previous years, according to research. Popular attack vectors include cross-site scripting (XSS) and SQL injection.
Client-side Attacks
The CMS (Content Management System) frameworks, used as platforms for many online retail outlets, are a target for cyber-attacks. One of the most infamous recent attacks of this nature was the attack on UK airline, British Airways (BA). The company was fined around £20 million ($27 million) for a breach that affected 185,000 reward program customers and a further 380,000 users of the airline’s app and website. The company is now expecting a customer settlement bill of around £3 billion. The breach occurred when a malicious script comprising 22 lines of code was inserted into the BA website. A vulnerability in a web element allowed the hack to occur. Once in situ, the code facilitated a transfer of data to ‘baways.com’, a very similar looking URL to the legitimate ‘britishairways.com’.
Other client-side attacks include the misuse or incorrect implementation of secure internet communications. For example, the use of the principle of securing data in transit is vital to maintain data security. The use of encrypted communication protocols, such as Transport Layer Security (TLS) when transmitting data across Wi-Fi or other networks, prevents Man-in-the-Middle attacks, which result in the theft of login credentials.
A series of best practices can be used to close off attacks. These include:
- The correct use of Transport Layer Security across an online site (HTTPS)
- Secure transaction processing (including tokenization of financial data)
- The use of anti-phishing software
- Multi-factor authentication to protect CMS access
- DDoS protection measures
- Prevention of malicious script insertion into CMS and other web resources using web content filtering
- Deployment of a Web Application Firewall (WAF)
Online shopping for food, medicines, and other essentials, has been a vital service during the pandemic. With more people choosing to shop online, the online shopping trend is likely to continue. Online retailers can offer a secure shopping experience to customers by taking precautions and closing off the routes to a cyber-attack.
WebTitan protects your business and customers against all cyberattacks, suitable for all industries including retail. Get in touch today and find out how we can better protect your organization from cyberattacks in 2021. Contact us today.