Cybercriminals hunt down web bargains as retailers move online

The rise of ecommerce in the pandemic has opened a lucrative avenue for cybercrime. Now businesses need to wise up to the latest methods of attack and strengthen their defences

Ecommerce came to the rescue of millions of us in the pandemic, be that new iPads to keep the kids busy or a hot tub for stressed adults. But the rush by firms to meet this wave of demand, whether they were a startup, established ecommerce firm or bricks-and-mortar store going online for the first time, left another group of people very happy as well: cybercriminals.

“Many businesses were forced to adopt new selling methods and ways of meeting customer expectations – on the fly,” says Yoav Kutner, co-founder and chief executive of ecommerce platform Oro Inc. “At the same time, companies were focused on alleviating supply chain strains and cyber security fell a few rungs down the priority ladder. Hackers are now taking advantage because ecommerce sites are a treasure trove of personal data.”

This includes online and email addresses when customers sign up to sites, as well as credit card details when they pay for their purchases.

The HEAT is on

Tom McVey, sales engineer at Menlo Security, says this data means ecommerce firms “have a target on their back”. He also fears that many ignored basic security factors as they clamoured to drive sales. “The security maturity of a startup is not that high,” he says.

Typical threats to ecommerce operations, he adds, include highly evasive adaptive threats (HEAT), which can bypass traditional security defences that include firewalls and secure web gateways. Menlo saw a 224% increase in HEAT attacks in the second half of 2021.

This can encompass smishing – which is essentially email-style phishing – but this time via text message. The principle is the same in that the hacker is trying to tempt a user to click on a link and unleash malware or ransomware onto a corporate or personal site. 

Hackers are now taking advantage because ecommerce sites are a treasure trove of personal data

Traditional phishing remains a threat, with criminals taking advantage of vulnerabilities in new releases from Firefox or Chrome to launch browser attacks. Again, all you need to do is click on a link in an email for a browser to open and for a malware virus to be launched. 

“We’re also seeing double-dip ransomware,” McVey adds. “Ransomware is where data on your system is encrypted by a criminal, and they refuse to unlock or decrypt it until a ransom is paid. But double-dipping is especially a problem for ecommerce firms because the hacker also steals their customer data, uploads it online outside the company’s network and threatens to leak it. If that happened, your entire reputation would be ruined.”

Jim Herbert is VP and GM for EMEA for global ecommerce platform BigCommerce. Other exotic sounding threats, he says, include SQL injections (where an ecommerce site insecurely stores data in a SQL database) and cross-site scripting (which involves inserting a piece of malicious code into a webpage). 

This exposes users to malware and phishing attempts. Another potential means of attack is e-skimming. This is when attackers steal credit card information and personal data by using phishing or XSS to access a site, and then capturing a checkout payment in real time.

Identifying vulnerabilities for cyber fraud

Cyber and online payment fraud is a further conce. According to Statista, global ecommerce losses in 2021 reached around $20bn (£16bn), an increase of more than 14% compared with 2020. Abstract House sells original art and sustainable picture frames to customers via its website and was already established when the pandemic started. But it has seen the scale of threat, including fraud, increase over the past two years. 

“We launched in 2017 and saw exponential growth in demand during the pandemic,” says co-founder and CFO Summer Obaid. “People began to be comfortable about buying online, including art. 

“That’s been great for the business, but it has also brought more interest from elsewhere. For years, we didn’t see any fraudulent sales but now we are experiencing more and more, such as people ordering several £500 gift cards. You may get one order like that – but when it is multiple, we ring to get a little bit more information.”

The company, whose original paintings sell for up to £2,000, was aware that dealing with a huge amount of customer data made it vulnerable to attack. Its policy of proactively checking for anything concerning also applies to phishing emails, with employees encouraged not to click on external links and to delete them immediately. 

But it also has third-party help such as Shopify Plus, which uses machine learning algorithms to flag up orders that could be fraudulent. It also uses Google Business Suite to help protect against spam and secure private data in the cloud. In addition, data can only be seen by employees with privileged access.

McVey advocates web and email gateways to “keep the bad on the outside” and adopting the remote browser isolation model. This means that if an employee does click on a phishing link, there is no direct contact with a company’s website and the malware won’t run. 

Herbert says firms should look at basic protections such as two-step authentication passwords, regularly upgrading software security updates, securing browser connections and ensuring that all connected devices are cyber secure with antivirus software and firewalls.

When it comes to payments, Obaid uses an SSL (secure socket layer) certificate on its website, meaning that all data is encrypted at checkout.

For McVey, it is the cloud – including cloud secure web gateways – which not only ecommerce but all businesses should be looking towards for better cyber security. 

“It is rare for a company to store all its data at its premises nowadays,” he says. “All of the documents, applications and emails which we now need to help more people work from home are on the cloud. But most company security strategies remain focused on the office and protecting that. There is a disconnect and little recognition that the world has changed. You can’t have an office-based approach for a cloud-based world.”

Another impact of hybrid working, McVey argues, and similar to the point Kutner made about the supply chain, is that a lot of IT spend has gone on making the transition as smooth as possible for employees. “Security has taken a bit of a back seat,” he says.

Obaid says SMEs especially can’t afford to let that happen. “It takes years for a company to build trust with a customer, but one negative experience can be a massive blow to your business. Cyber security is a real thing,” she says.