Recent reports state that the UK has the third largest eCommerce market in the world, and with the Christmas period being particularly demanding for online businesses, cyber criminals are more likely to attempt attacks on eCommerce businesses.

With this in mind, here is some insight on the most prevalent forms of cyber attack that eCommerce businesses may face during the busy festive period, and how to best avoid these from occurring.

Cyber security challenges for eCommerce businesses:

E-Skimming
E-skimming is one of the biggest issues that eCommerce businesses can face. Using e-skimming, hackers steal sensitive payment information during the checkout process. They do this by injecting malicious scripts or code in the checkout page by exploiting vulnerabilities in the website. Once a cyber criminal gains access to consumer information such as credit card numbers, expiry dates, CVV numbers and so on, these details are then used to commit a variety of financial fraud. Not only will the end customers lose their trust in the business, but also the business will get fined as per PCI guidelines.

Distributed Denial of Service [DDoS]
Distributed Denial of Service attacks seek to disrupt the normal traffic of a server or network, by overwhelming its infrastructure with excessive internet traffic. These attacks utilise computer systems infected with Malware, which allows hackers to control them. As a result, the business’ website will be unavailable or slow to access. Depending on the severity of the attack, the website can be down for a number of hours or days at a time. If an eCommerce business experiences one of these attacks, they may face large scale revenue losses, posing significant risk to SMEs. In severe cases, these revenue losses can lead to a company shutdown.

Price Wars
A competitor could use bots to scrape the pricing details of an e-commerce business’ catalogue. From this, they can alter the pricing in their own website to undercut the business and thereby causing financial losses. 

Phishing
Phishing is a very common method used by cyber criminals in an attempt to trick businesses or their customers into sharing personal information such as passwords, credit/debit card numbers, and account details via email. If hackers obtain any of this information it can be very easy for them to access confidential online accounts. This can lead to a large data breach for eCommerce companies. If adequate cyber security protection is not in place within the business, these attacks may go unnoticed, leading to great issues such as risk of Malware infections.

Venky Sundar, Founder and President of Indusface, provides comment on key threats to eCommerce businesses around Christmas time, how to prevent these, and ways to prevent or rectify attacks:

“The biggest threat is the availability of application. After all, if the website or app is down, how will the e-commerce firm make money during the holiday season? An application could be brought down by 1) A DDoS attack or 2) Injecting malware into the site resulting in the site getting blacklisted across major networks. The aspects of the business most likely to be attacked are:

• Technology (website or app): This is where hackers try to bring down the application either through DDoS attacks or through exploiting application vulnerabilities.

• Supply Chain: Hackers could also use bots to scrape information on inventory and pricing to carry out supply chain attacks by either causing inventory stock outs or undercutting the prices.

• Fraud: By using advanced bots for cracking credit cards, hackers can cause a lot of losses.

“Attacks can be costly for businesses. Depending on the size of the business, if an e-commerce site processes 100s of orders every hour, DDoS attacks could cause a lot of damage as even a 1-hour downtime could lead to losses in five or six figures. In case of smaller businesses, card cracking, account takeover and other bot attacks could cause significant losses.

“In an attempt to avoid cyber criminals from attacking your eCommerce business, you may want to go for a security provider that offers managed services and has clear SLAs on downtime and an “under attack” response time. That way even when your team is out of office, you have someone who has got your back on application security and is supporting you when your team is either on vacation or working overtime to fulfil orders, which is your core business.

“If you find your eCommerce business under attack, there are some steps you can take to rectify the situation:

Scenario 1:
You have a world class WAAP/WAF and have managed services as part of the contract. In this case you just escalate it to their team and they’ll help you thwart DDoS and bot attacks. In case of an attack on open vulnerability, they should be able to help you with virtual patches to plug the vulnerability.

Scenario 2:
You don’t use any WAF or you have a WAF but most of the maintenance on that is self-service.

If it is a DDoS or bot attack since you don’t have the resources to stop it on your own, at the risk of upsetting some of your genuine users, enable site-wide captcha till the attack traffic dies down. While this will upset a few of your users, you will not risk losing the entire business as your site goes down. 

“In case of a vulnerability attack, make sure that your dev team applies all the patches for known vulnerabilities. Then use AST(Application Security Testing) tools to find open vulnerabilities and patch them at the earliest time possible.”

Guide provided by Indusface