Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/13/2020
10:00 AM
Matthew McGuirk
Matthew McGuirk
Commentary
100%
0%

A Hacker's Holiday: How Retailers Can Avoid Black Friday Cyber Threats

Starting on Nov. 27, online retailers of all sizes will find out if their e-commerce capabilities are ready for prime time or not.

In November 2019, Macy's confirmed the presence of credit card-skimming Magecart malware on its checkout and wallet pages just as Black Friday and the holiday shopping season approached. Macy's indicated that the malware allowed a third party to capture customers' data on the pages if they input their credit card information and clicked "place order."

Related Content:

The Year of Magecart: How the E-Commerce Raiders Reigned in 2019

The Changing Face of Threat Intelligence

New on The Edge: The Double-Edged Sword of Cybersecurity Insurance

This potentially enabled cybercriminals to access names, addresses, phone numbers, and email addresses along with the users' credit card numbers, security codes, and expiration dates. A Macy's cybersecurity team removed the code by Oct. 15 and announced the incident a few weeks later.

With Black Friday on Nov. 27 this year, retailers are jockeying to gain a competitive edge in what could be the biggest online shopping spree ever. E-commerce holiday sales are expected to generate between $182 billion and $196 billion this season — a year-over-year increase of 25% to 35%, according to Deloitte's annual forecast. Overall holiday spending, on the other hand, will top out at $1.15 trillion with a relatively flat increase of 1.5%.

The trend mirrors the e-commerce sales boom that occurred throughout 2020, with the pandemic expected to fuel a $794.5 billion market in 2020, according to eMarketer. This represents a 32.4% year-over-year growth rate — nearly double the 18% predicted in eMarketer's second-quarter forecast. Brick-and-mortar sales will decline by 3.2%, to $4.71 trillion. Given the stakes in the roughly one-month peak holiday shopping season, retailers are racing to optimize their websites for mobile devices and third-party affiliate partners to maximize every opportunity possible.

However, as Macy's discovered, these opportunities elevate risks for shoppers and businesses. Through formjacking and Magecart attacks, cyber thieves inject malicious JavaScript code into e-commerce websites to skim data and steal customer information. Formjacking refers to hijacking a web form (typically the payment page) and accounts for 87% of breaches. Magecart hackers target shopping carts associated with the Magento open source e-commerce platform. Overall, there have been an average of 425 Magecart incidents per month in 2020. In many cases, adversaries deploy social engineering tactics such as sending shoppers a bogus promotion for a site; when shoppers respond to the fake offer, they enter their personal data on a page that is really a skimming scam.

The fact that there are multiple third-party vendors that support online sales further exposes retailers to possible threats. Cybercriminals often target third parties because they're the weak links of the supply chain. On average, e-commerce sites use 40 to 60 third-party tools and intend to add three to five new third-party technologies each year, amplifying the risks.

So, what should e-commerce businesses do to thwart these attacks and ensure their customers have a "holly, jolly" holiday? We recommend three steps.

Understand Your Risk
It's safe to say that the bad guys are planning for Black Friday as much as retailers are. In fact, they may already have compromised their intended targets and are now simply waiting for the big shopping day to arrive.

After all, they've demonstrated over time that they're very good at "hiding" inside systems until they're ready to strike. Nearly two-thirds of security professionals indicate that they're seeing no less than 100 days of dwell time — the time it takes to detect attackers once they infect a network. Therefore, it's critical to conduct internal due diligence to inventory both your internal risk and third-party risk: What do you know exists, and what protections do you have in place as a result? Are you confident in your solutions? Are you doing enough to defend customer data before it becomes a problem?

Implement Zero Trust
It's essential to enforce zero-trust solutions that restrict third parties to solely the information that the website has authorized them to access, while blocking access to consumers' private and payment information, aka "least privilege." By using virtual webpages, the solutions create an exact replication of the original webpage but exclude what the third party isn't authorized to see. If the third-party input is allowed, the virtual page will transfer it to the original webpage. By isolating third-party scripts from the original website, unauthorized changes to JavaScript won't cause any harm.

View Your Webpages as Customers See Them
Too many businesses only see their website as it appears on the server side, instead of viewing it from the customer browser perspective. The browser page is what customers "see" when they shop, and these pages are subject to compromises. Therefore, you need to assess what you're doing to protect your pages once they leave the web server.

Starting on Nov. 27, retailers large and small will discover whether their e-commerce capabilities are ready for prime time or not. Indeed, the season will serve as a litmus test of their digital transformation success.

This is why companies cannot afford to consider cybersecurity as an afterthought — they must think of data defense as an indispensable component of their business strategies. By committing to a comprehensive risk assessment, enforcing zero trust of third parties, and protecting browser-side pages, they'll rise above the competition this holiday season and reap the rewards of superior brand reputation and customer loyalty for the many months that follow.

Matt McGuirk is an expert in JavaScript, web technologies, and both client-side risk and client-side attacks. He has over 15 years of experience in web application development, website administration, and cybersecurity. Additionally, he has provided consultation and analysis ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29458
PUBLISHED: 2020-12-02
Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.
CVE-2020-29456
PUBLISHED: 2020-12-02
Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in ...
CVE-2020-5423
PUBLISHED: 2020-12-02
CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
CVE-2020-29454
PUBLISHED: 2020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
CVE-2020-7199
PUBLISHED: 2020-12-02
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access,...