Cyberattacks on Online Retailers: The Top 3 Threats Facing Companies Today
Many businesses utilize the internet for revenue, but online retailers are completely dependent on it, making them especially vulnerable to cyberattacks. Since their sites and web applications must be freely accessible to the public (which includes hackers), online retailers must understand the most prevalent security threats in order to secure their web assets and retain their customers. Additionally, they're extremely sensitive to any interruptions of service. For large retailers, even short periods of downtime can be catastrophic to their business.
Unfortunately, it's easier than ever to attack an e-commerce site. Online retailers are more vulnerable to attacks than most other businesses because:
- Retail sites and applications rely directly on incoming traffic for revenue; thus, distributed denial-of-service (DDoS) extortion is potentially lucrative. A sophisticated DDoS attack can bring down a site in a matter of minutes.
- Payments are processed, so credit card fraud is constantly being attempted.
- Customers must be able to access their accounts, which gives hackers the ability to stuff credentials (i.e., they attempt to hijack accounts by entering email and password combinations that were stolen from other sites).
- Customer accounts contain a lot of valuable personally identifiable information, which entices hackers to breach the retailer’s back-end systems and steal account data.
- Web users can often upload their own content (e.g., reviews) to online stores, and thus spambots are rampant.
Of all verticals, online retailers tend to face the broadest range of threats. E-commerce sites and applications present a rich array of illicit opportunities for threat actors.
Hackers are especially fond of using bots against retailers. On the web today, most cyberattacks are waged by bots. (Even site breaches that require expert human hackers are preceded by automated vulnerability scans first.)
A recent study of hostile bot activity across multiple sectors showed that only three types of bot attacks are responsible for 55 percent of all cyberattacks on retail sites. These top three threats are DDoS, card fraud, and inventory hoarding.
As the name implies, this is a DoS attack that originates from multiple sources simultaneously. DDoS assaults account for 21 percent of all cyberattacks against online retailers. A DDoS is an attempt to make the targeted system unresponsive to its intended users by flooding the target with an overwhelming volume of traffic.
DDoS extortion attacks are common against the online retail industry because they're easy to deploy and the damage to the victim is immediate and costly. The attackers launch a DDoS, issue a ransom demand, and threaten to continue the attack until the ransom is paid. Many site owners choose to pay the ransom because it seems to be the fastest way to solve the problem. Unfortunately, attackers don't always honor their promises to stop the attack once the ransom is paid. And even if they do, a victim who pays the ransom is identified as a “good” target, and is likely to be a DDoS victim again in the future.
This includes two specific types of attacks: credit card fraud and gift card fraud. Card fraud accounts for 19 percent of all cyberattacks on online retailers.
Credit card fraud usually starts when malicious bots scan for vulnerabilities within retail sites that process payments. When a vulnerability is found, the hacker breaches the site and steals card numbers. Later, the numbers are used fraudulently — sometimes within the same site that was breached — which results in lost revenue and chargebacks to the unfortunate merchant.
Gift card fraud occurs when criminals use bots to stuff possible gift card numbers into web applications until valid ones are found. Validated numbers are used to purchase goods, or are sold for cash through various online services. Criminals can use similar methods to perform coupon code discovery; while this isn't as outright fraudulent as the above, it still has a direct impact on revenue.
Credit and gift card attacks are very popular because they're straightforward to deploy and they can yield immediate results.
Inventory Denial (aka Inventory Hoarding)
A “denial of inventory” occurs when hostile bots make inventory unavailable to legitimate customers. For example, bots can attack retail sites by adding products to shopping carts, but never completing the purchases. Inventory denial accounts for 15 percent of all cyberattacks on retail websites.
These attacks vary in their approach and impact depending on the configuration of the targeted site. Some web applications remove items from available inventory when they're added to a cart; therefore, inventory denial bots prevent actual customers from purchasing those items. This is made even worse when the applications have long, or nonexistent, cart expiration times. Other financial damage can accrue when a retailer has to pay lookup fees to shopping engines or data aggregators; continual requests from bots can accrue significant expenses for site owners, with no sales revenue to offset them.
Inventory denial is more subtle and more sophisticated than the other attacks. Unlike the others, inventory denial isn't motivated by immediate financial gain. Rather, the attacker wishes to damage the targeted site, and grind down its profitability. Over the long term, these attacks can be catastrophic for the victim.
Just 3 Attacks Cause the Majority of Problems
We see that it's easy (and often lucrative) to wage a cyberattack on an online retailer. With just these three basic attacks, hackers can do a lot of damage to a website: they can cause sales to be lost, profit margins to be degraded, chargeback rates to go up, ransom payments to be made, and far more. Along with these attacks, there are others that occur in the online retail industry, including spam, app abuse, scraping, and more, which can all hinder the success of an online retailer.
Fortunately, it's possible to defeat these attacks. By deploying a dedicated web security service, you can protect your e-commerce site from hackers and hostile bots. It’s never been more important to ensure that your retail site won't become a victim of these malicious activities, and that your business and customer data remain safe.
Eyal Hayardeny is co-founder and CEO of Reblaze, a cloud-based, fully managed security platform.
Related story: What Modell's is Doing to Protect its Customers’ Data