Thought leadership. threat analysis, news and alerts.
Upcoming Holiday Shopping Season Brings New Level of Cybercrime Threats to Online Retailers
Online shopping this holiday season is projected to be unprecedented, with many people staying at home and opting to shop online as a result of the COVID-19 mandatory lockdown or due to self-imposed lockdown.
The expected online shopping surge creates a perfect stage for cybercrimes.
Shift to Online Shopping
Statistics Canada reported that from February 2020 to May 2020, retail e-commerce sales soured by 99.3%. The record gain in e-commerce, however, resulted in a record decline in retail sales.
Statistics Canada reported that for the same period, the total retail sales fell by 17.9%. The impact of COVID-19, Statistics Canada said, is best highlighted using the April 2020 data, with a 26.4% decline in retail sales compared to the April 2019 data.
A survey conducted by Deloitte showed that 47% of Canadian consumers said they’ve been shopping online more often since the COVID-19 crisis began. The survey further showed that the same number of Canadian consumers (47%) will likely head online to find gifts and other items this holiday season, with the remaining 53% to head to traditional retails stores. While the number of those who intend to do their shopping in the traditional way is few points higher than those who intend to shop online this holiday season, this data is high enough as 69% of holiday shoppers shopped in the retails stores during the holiday season in 2019.
“A lot has changed since the 2019 outlook,” Deloitte said. “COVID-19 has changed how Canadians live, work, and shop, and it has turbocharged the fundamental shifts in consumer behaviour that were already underway.”
Imperva, meanwhile, reported that from March 1 to March 22, 2020, retail websites’ traffic worldwide soured by as much as 28% on a weekly average.
Holiday Season Cybercrime Threats
A new report from Imperva showed that the upcoming holiday shopping season will present online retailers with a new level of traffic, at the same time, never seen before level of cybercrime threats. According to Imperva, online retailers will face the following cybercrime threats this holiday season:
Bad Bots Attacks
According to Imperva, bad bots, as a group, is a top threat to online retailers, before and during the pandemic. A bad bot refers to a software application that runs automated tasks over the internet.
As opposed to a good bot which runs automated tasks over the internet for legitimate purposes, the purpose of a bad bot is malicious. Bad bots interact with software applications in the same way as legitimate users would, making them indistinguishable from legitimate users.
An example of a bad bot is a bot that interacts with a website’s login interface, attempting to “brute-force” its way by attempting to login using the trial and error method in guessing the correct username and password combination. Aside from brute-force attacks, bad bots are used for competitive data mining, personal and financial data harvesting, and more.
According to Imperva, API attacks are attractive targets due to the sensitive payment data they hold. The volume of attacks on retailers’ APIs far exceeded average levels this year, Imperva said.
API, short for An Application Programming Interface, is a software intermediary that allows other software applications to communicate with one another. A website API, for instance, connects between applications such as databases.
According to Imperva, retail sites experienced an average of eight application layer DDoS attacks a month, with a significant spike in April 2020 as lockdowns resulted in the demand for online shopping. DDoS, short for distributed denial of service, refers to a cyberattack that attempts to make an online service, such as a website, unavailable to legitimate users.
DDoS uses bad bots. In DDoS attacks, bad bots are organized into a botnet – referring to hijacked computers that are controlled by attackers to conduct malicious activities such as DDoS attacks. Application layer DDoS, meanwhile, is a type of DDoS attack comprised of malicious requests with the end goal of crashing the web server.
According to Imperva, retail sites are vulnerable to client-side attacks as many of these sites are built on frameworks using a number of third-party code. Client-side refers to anything that’s displayed or takes place on the client – end user – using a browser. This includes what the user sees on the site’s online form.
The attack on Ticketmaster is an example of a client-side attack. In June 2018, Ticketmaster made public that they had been compromised and that attackers stole customer information. RiskIQ, the company that discovered the attack, reported that Ticketmaster wasn’t directly compromised but the site’s third-party supplier known as Inbenta was. According to RiskIQ, attackers either added or replaced Inbenta’s code used for Ticketmaster with a malicious one.
A client-side attack also directly compromises the website itself. Such was the case in the British Airways website client-side attack. The attack was discovered by RiskIQ.
According to RiskIQ, a malicious code was found in British Airways’ baggage claim page where customers were required to enter their personally identifiable information. The malicious code then sent the information entered to a URL that looked like it belonged to British Airways. Upon closer inspection, however, the URL wasn’t owned by British Airways.
It’s still unknown how the malicious code got into the British Airways’ site in the first place.
Worried about your website or web application and looking to better protect it? Contact us today to see how to mitigate the risks quickly and efficiently.
Steve E. Driz, I.S.P., ITCP