E-Commerce Cybersecurity


Are e-commerce websites considered attractive by cybercriminals, justifying the implementation of e-commerce cybersecurity measures?

ECOMMERCE CYBERSECURITYE-commerce sites are an attractive target for cybercriminals due to the vast amount of PII (personally identifiable information) they acquire, including the names, addresses, phone numbers, in some cases birth dates, and, of course, credit card information of consumers.

Greatly increased online shopping during the Covid-19 pandemic lockdowns – a 24% hike in 2020 – has made e-commerce websites an even more appealing target, as evidenced by a 300% increase in the number of attacks in less than a year from the start of the pandemic.

These sites remain attractive, as many consumers have changed their shopping habits and continue to do much more of their buying online than before the outbreak of the pandemic.

Furthermore, the more prevalent use of alternative payment methods, such as digital wallets and BNPL (Buy-Now-Pay-Later), are creating new fraud risks, which must also be taken into consideration.

Is e-commerce cybersecurity a necessity for e-commerce business owners?

Yes, undoubtedly.

E-commerce sites are relentlessly targeted by cybercriminals, undeterred by the new technologies some of these sites have added. They continue to try to find vulnerabilities that they will be able to exploit and achieve their goal, highlighting the critical need of e-commerce businesses to ensure that they implement adequate authentication and data encryption measures. When that attacks are successful, they have the potential to cause heavy financial losses, as well as severe harm to reputation.

In April 2021, Juniper Research, a market research, forecasting and consulting company, predicated that losses due to e-commerce fraud in 2021 would be 18% higher than in 2020 – growing from $17.5 billion to more than $20 billion. In a new study, it predicted that the cost incurred by merchants globally due to e-commerce fraud will increase from slightly more than $41 billion in 2022 to $48 billion in 2023.

DUE claims that as many as 3% of e-commerce attacks overcome the security measures implemented by companies, costing approximately $6 billion a year.

What are the main threats to e-commerce businesses, that justify e-commerce security services?

e-commerce security servicesVarious types of attack are used to target e-commerce businesses. These include, among others:

  1. e-skimming: In this type of attack, the hacker injects a skimming code into the pages of the e-commerce site in which the credit cards are processed and steal the data in real-time.
  2. Supply chain attacks: Supply chain attacks are becoming more common, with cybercriminals targeting the software supply chain in order to insert malicious code and access personal information and/or credit card data. They often do so by hiding their code in legitimate updates. A successful attack may impact thousands of victims.
  3. Automated bots: These bots try to complete transactions using stolen credit card details. A 12-month analysis conducted by Imperva Research Labs reveals that in 2021, 57% of all cyberattacks targeting e-commerce websites were executed by bots, far above the rate in other industries – 33%.
  4. Credential stuffing attacks are also used against e-commerce websites. In these types of attacks, hackers who have already obtained credentials required to complete a transaction in a previous attack use the information to log in to an e-commerce website. The two attacks are not necessarily related to one another; this is an attack exploiting an opportunity to use the same data for additional nefarious purposes. Credential stuffing is facilitated by the fact that many people use the same password to log in to several different websites – according to some sources, up to 70% of users. It should be noted that credential stuffing is difficult to distinguish from authentic user activity, as the credentials used in these attacks are legitimate user credentials – which makes the detection an even more complex task. DUE reports that 90% of global login traffic results from such attacks. The State of the Internet 2018 report issued by Akamai states that in May and June 2018 alone, 8.3 billion malicious login attempts were identified.
  5. Ransomware attacks are not necessarily the first that come to mind in the context of e-commerce, as it is generally believed that e-commerce businesses are targeted with the aim of stealing personal and credit card data.
  6. SQL injection attacks – in these types of attacks hackers attack the query submission forms in order to access the backend database, then proceed to corrupt it and collect data.
  7. Cross-site scripting (XSS) attacks are attacks in which cybercriminals manipulate a vulnerable e-commerce website to that it returns malicious JavaScript to users. The execution of this in the victim’s browser allows compromising their interaction with the application.
  8. Phishing attacks are carried out also against e-commerce sites.
  9. DDoS (Distributed Denial of Service) attacks on e-commerce sites are launched to disrupt operation, as in other types of websites.

What are some examples of attacks that might have been averted through the implementation of effective e-commerce cybersecurity measures?

Examples of two types of attacks against e-commerce sites are described below.

e-skimming attack: In 2020, an e-skimming attack was perpetrated against the main website of Tupperware, a large multinational company based in the USA. The website is visited by approximately 1 million online customers each month. Some of the local websites the company operates in various countries around the world were also targeted. Although detected in March 2020, it is unclear when the attack was actually first launched. The attackers injected a payment card skimmer into the checkout page in order to steal credit card details. Researchers were impressed at the cybercriminals’ skill in hiding the malicious code in a PNG file image for a FAQ icon, which, when clicked, loaded the fake payment form. However, they were surprised that the hackers did not create versions of the fake form in the different languages for the foreign websites.

Ransomware attack: In late 2022, a ransomware attack was perpetrated against the e-commerce platform X-Cart. The attack seems to have been caused by the exploitation of a vulnerability in a third-party software, through which X-Cart’s store hosting systems were accessed. According to the company, the attacker accessed and encrypted a small number of servers, affecting X-Cart stores running on the affected systems.

ACID offers an exceptionally cost-effective solution that helps e-commerce site operators to protect themselves from cyberattacks, keep their data safe, and potentially avoid serious financial implications, as well as harm to their reputation.

ACID deploys clusters of bots and implements advanced AI algorithms in order to detect the first signs of an attack in the clear, deep and dark web, as early as in its initial planning phase. Once such signs are detected, ACID alerts the targeted company in real time, providing all the available information to help it prepare and implement countermeasures, mitigate the potential impact of the attack, and possibly foil it altogether. ACID continues to monitor the sources, using client-specific keywords in several languages, and provides updates with any additional data as it becomes available, thus supporting its client company in finetuning its response and increasing its effectiveness.

Additionally, ACID conducts widespread monitoring activities to detect any stolen data that may be offered for sale, indicating that a company has already been breached, to enable it to take appropriate action and stop the theft.