It’s that time of the year again, with everyone looking forward to and talking about the impending holiday season. Of course, this is very much true for the online retail industry. According to Deloitte’s annual holiday retail projections, total sales are expected to climb between 4.5% and 5% for the period, up from 3.1% in 2018. This rise in expenditure amounts to more than $1.1 trillion during the retail sector’s most lucrative season.
The biggest sales spike is predicted to happen online however, with online sales expected to grow in the range of 14% to 18%, compared with 2018. This translates to online retailers bringing in between $144 billion and $149 billion from online shopping.
What many online retailers don’t realize is that while they are busy getting their stores ready with targeted special offers, so too are threat actors. They are ordering stolen credit card information, processing fake coupons and much more.
So the race is on. Who will reach your customers first?
Threat actors have been collecting and aggregating payment data, credit card details, and your customers’ personal information in preparation for the holiday shopping season. Each shopper is predicted to spend on average $340 during this year’s Thanksgiving weekend period. Threat actors want a piece of the action as malicious attacks typically spike almost 40% on Cyber Monday. These crimes are a lose-lose for the online retailer and the customer, where the retailer may lose a sale, and the customer potentially loses money and/or personal data. So with Black Friday, Thanksgiving and Cyber Monday and the rest of the very busy holiday season just around the corner, we want to highlight some preliminary checks and activities to help improve your chances of staying safe.
The online retailer’s ultimate anti-fraud checklist:
1. Reduce the number of compromised accounts
Accounts that have been exposed from a website breach or a password dump site are vulnerable to credential stuffing attacks. To prevent this, a combination of threat intelligence findings, analysis of web traffic and security logs, and tuning web security controls can help identify and block these attacks.
2. Protect PII data
Pentesting is your friend. Conduct as much of it as possible to ensure that even if an account is compromised, no PII data can be stolen. This should include determining where all PII is stored, classifying the sensitivity of PII, eliminating permission errors, and ensuring all PII data is encrypted. Regular and proactive penetration testing of systems using purple team events can help prevent actual events from occurring.
3. Prevent “bag” abuse
Some retailers have item stock levels set so the price of the item will drop when a certain threshold in stock is reached. The threat actor takes advantage of this by reserving a certain quantity of an item in the shopping cart until the price drops, and then they make a bulk purchase of the item at the reduced price. Reviewing and making needed modifications to the automated process used to lower prices based on stock levels can prevent this abuse.
4. Prepare and perform incident response playbooks for Gift card / Vouchers / Discount code abuse
Use threat intelligence findings to locate fraudulent gift cards and vouchers for sale on the dark web targeting your online store or website. Your cybersecurity provider can further investigate the methods and techniques the cybercriminal used to obtain the gift cards and test their validity.
5. Prevent image scraping from your website
Image scraping and web scraping can lead to look-a-like phishing sites that can steal traffic from the legitimate site. To counter these attempts, traffic analysis can be conducted that includes verification of factors such as HTML fingerprint, IP reputation, and behavior analysis to filter out bots and minimize false positives.
6. Align your fraud/revenue loss teams with cybersecurity team
Your fraud/revenue loss and cybersecurity teams and their processes should all be aligned. Threat intelligence findings and patterns adopted by threat actors in their attempts to create specific scams against your online store should be incorporated into your cybersecurity process. For example, if your team finds fraudulent refund tutorials, carding tutorials or your client accounts for sale on the dark web, it will be easier for your fraud team to set up processes and tools to prevent further abuse and to further investigate their origins.
7. Review anti-virus and EDR policies
An interactive approach for endpoint protection is necessary and should include fileless attacks, spear phishing, zero-day attacks, and more. Anti-virus solutions are designed to prevent known malware attacks, but pairing it with an EDR (endpoint detection and response) solution provides a more well-rounded defense by monitoring for suspicious or anomalous activity.
8. Cybersecurity internal awareness training
It’s a good idea to update employee awareness about their role in preventing attacks. Exercises such as internal phishing campaigns, exercises to evaluate your cyber crisis processes, and USB drops can help with this awareness training. In addition, a threat intelligence system can detect if employees are actually offering fraudulent services using their internal privileges. For example, offering information and advice on how to submit a fraudulent refund using inside company information (true story!).
9. Align your development and operation teams
Your cybersecurity team should be in sync with the development and operations teams to detect potential changes in code such as on payment pages. This will allow them to coordinate efforts during cybersecurity events.
The question of the day: how safe is your e-commerce site? Contact Cyberint to find out!