With annual sales projected to reach over $630 billion going into 2020, online retailers are a high priority target for hackers, so much so that annual losses attributed to website attacks are estimated at $12 billion. So, what tactics will hackers use to ruin retailers’ holiday and New Year momentum? Let’s dive into a recent report that highlights the most prevalent ecommerce attacks and threats facing online retailers.
Top Ecommerce Web Attacks
The objectives of ecommerce attacks generally fall into three categories: stealing credit card information, guessing cart tokens to hijack the shopping session, or exfiltrating personally identifiable information from customer accounts to use in other forms of fraud. The means used by hackers vary widely. The top five web attacks against online retailers include:
- Account takeovers (29.8 percent). Stolen or guessed user credentials are used to log into a website site, allowing the hacker to change customers’ settings, lock them out and place fraudulent orders. A validated user name-password combination will then be tried against a large number of additional financial and E-Commerce sites.
- Bot impostor attacks (24.1 percent). A bogus search bot request, or “fake bots,” are used to gather pricing and inventory data. These result in false requests, price scraping, and gift card cracking.
- SQL Injection (SQLI) attacks (8.2 percent). Attackers seek to gain privileged information by bypassing application security measures. The information can include company data, user list and customer details.
- Backdoor file attacks (6.4 percent). These attacks use malware to install a persistent vulnerability on a system, which allows additional attack activity for as long as it remains undetected. These attacks are the fastest-growing because they make it possible to circumvent normal authentication processes in the future.
There’s no silver bullet for ecommerce fraud; online retailers must develop comprehensive cyberdefense strategies aligned with the types of threats they face, including:
- Integrate security tools into software and IT (DevOps) processes. This helps extend security across the software design and release lifecycle from development to operations, as well as leverage automation for a faster response to real-time attacks.
- Monitor. This is essential across both server instances and web app traffic to detect and block illicit activity.
- Interpret and act on monitoring data effectively. Blocking attempted attacks without impeding legitimate customer traffic and jeopardizing their purchases is key. Here, larger than expected volumes of key authentication events can reveal if webform activity is legitimate or not. Anyone can forget their password, but 50 errors within a minute mostly likely indicates automated guessing.
As long as people shop online, hackers will target the retailers who serve them. Ecommerce fraud will likely always be with us, but by taking this threat seriously, and implementing security tools, merchants can minimize their losses and make the most of their opportunities throughout the years to come.