Retailers can’t be successful with a brick-and-mortar model only, and must embrace the omnichannel approach to drive growth and revenue while also improving customer engagement. In a race to be the most accessible and convenient outlet, online retailers have developed many avenues for consumers to do their online shopping. Through websites, social media, and phone apps, it’s easier than ever for consumers to make purchases online wherever they are. According to Kate Rooney, in February 2019 for the first time ever, online sales surpassed general merchandise brick-and-mortar sales. This trend does not go unnoticed by threat actors.
The 2019 Trustwave Global Security Report indicates the largest share of cyber incidents last year involved the retail industry. Kimberly Whitler, assistant professor of business administration at the University of Virginia’s Darden School of Business, states, “the consequence of a data breach can damage brand trust, market conﬁdence, and financial performance.” These facts should put retailers on alert to make protecting their eCommerce platforms a high priority.
The following five threats are on the rise and retailers need to be aware of these threats in order to best defend against them.
1. Data Leakage
Consumer data is extremely valuable and highly targeted by threat actors. Rather than a “smash and grab” method, threat actors have found the “low and slow” method of data exfiltration to be effective; stealing data over a long period of time without detection.
“It’s not just large sites getting popped, it’s mostly small to mid-sized organizations that are being compromised for long periods of time,” comments Stas Alforov, director of research and development at Gemini. He continues, “fraudsters sell what they collected and then come back and collect more over several years.” It’s important for Security Administrators to be aware of the different avenues of accessing the data and apply proper security controls to protect this valuable data.
2. Denial of Service
DDoS (Distributed Denial of Service) attacks can be launched by even novice threat actors. To make it even easier, capabilities can be rented as a service from underground marketplaces. DDoS attacks have been used in extortion campaigns, whereby an attacker threatens to DDoS a site, thus making it inaccessible, unless money is paid to prevent or end the attack.
3. Social Engineering
Phishing sites, spear fishing, and whale fishing are all social engineering tactics that threat actors are launching successfully. A recent spear phishing campaign targeted retailers in the US using methods similar to Russian threat actor TA505; the attack was initiated by a phishing email using the logo of the target company to make the email appear legitimate.
4. Web Application Attacks
According to a recent report, seventy percent of Q1 2018 breach reports were web injections that stole credit card data. These attacks can also target other valuable data and even prevent access to the website. For customer engagement, web applications are critical but often times the weakest entry point for external attacks. Enterprises are poised to increase spending on security scanning tools to help reinforce vulnerable attack points such as web applications.
5. Credit Card Fraud
Credit card data continues to be a lucrative target for theft. The EMV chip in newer cards has reduced counterfeit fraud, but threat actors have begun to focus on card not present (CNP) fraud. In this attack, both the consumer and the retailer are victims. The consumer has their payment card data compromised and the retailer incurs chargebacks due to fraudulent transactions. The Trustwave Report states CNP data, mostly from payment cards used in e-commerce transaction, is the most common type of data breach targeted (25%). And in the e-commerce industry specifically, CNP data is the most compromised type of data (84%), with PII at a distant second (11%).
Retail websites that don’t implement additional card verification processes are especially targeted. Credit card fraud can occur in several different ways; cybercriminals known as ‘Carders’ will sell tutorials, lists of vulnerable retailers, or resell gift cards and in-game currency purchased with stolen card data. Still others sell services or instructions on fraudulent refunds.
What You Should Do Next
Download the eBook to learn more about the fraud vectors and what you can do about them.
Consumers will make their purchases with businesses they can trust. This trust can easily be broken and costly to rectify. Businesses that take action against these threats will be better equipped to build and retain that trust with their customers. Data leaks, social engineering, and web application attacks are prime examples of how threat actors are becoming more sophisticated in their attacks in order to be successful.
In addition to these five threats, Cyberint’s eBook highlights additional threats that are trending in 2019. This eBook will help you gain a fuller understanding of the gravity of these security trends currently affecting the eCommerce industry.