It’s the Most Wonderful Time of the Year … for Hackers

There are so many ways for the holidays to turn sour for an online retailer. Gift cards and loyalty points, not subject to the same type of verification as credit cards, are stolen from customer accounts and used for fraudulent purposes. Compromised corporate credit cards are used to make high-volume purchases in the thousands of dollars and shipped to multiple locations — activity that might raise flags for a consumer card, but pass as business as usual during business gift season. Customer credentials and payment information are hacked from one retailer’s site, then reused far and wide to victimize more secure, but unsuspecting merchants. These are all real examples we hear too often from retailers.

With annual sales projected to reach over $630 billion by 2020, online retailers are a rich target for hackers, so much so that annual losses are estimated at $12 billion. And with holiday sales representing nearly 20 percent of the year's sales for retailers, hacks and breaches can be especially painful during this time of year when businesses are most dependent to reach profitability and build a healthy balance sheet.

Every year we're faced with headlines about the latest breaches victimizing popular retailers, and this year will be no different. In fact, every retailer will experience cyber attacks every day this holiday season. So, what types of attacks will hackers be using to ruin retailers’ holiday cheer?

We conducted a study and analyzed a sample of 4.9 million web attacks over a five-month period from June 1 to Oct. 31, 2019. Here's what we found on the most common methods currently being used by hackers, as well as trends and patterns in illicit activity.

What Hackers Want, How They Get it, and When to Expect Them

The objectives of e-commerce attacks generally fall into three categories: stealing credit card information, guessing cart tokens to hijack the shopping session, or exfiltrating personally identifiable information from customer accounts to use in other forms of fraud.

The means used by hackers vary widely. The most common include:

1. Account takeovers (29.8 percent): Stolen or guessed user credentials are used to log into the site, allowing the hacker to change the consumer’s settings, lock them out, and place fraudulent orders. Given the prevalence of credential reuse, a validated username-password combination will then be tried against a large number of additional financial and e-commerce sites.
2. Malicious bots (24.1 percent): A bogus search bot request is used to gather pricing and inventory data.
3. Cross-site scripting (XSS) (8.7 percent): A method using malicious JavaScript code to take control of a user's shopping cart and perform an attacker-controlled action, like having goods shipped elsewhere for resale.
4. SQL Injection (SQLI) (8.2 percent): Here, attackers seek to gain access to a retailer’s sensitive customer information by bypassing application security measures. The information can include a number of items, such as customer addresses, purchase history, password, email address, etc.
5. Backdoor file attempts (6.4 percent): These attempts try to access a backdoor left by a previous attack to access the retailer's systems and sensitive customer information.

The last of these, backdoor file attacks, deserve special notice. Though currently only the fifth-most prevalent method, they’re also the fastest growing — and for good reason. By attempting to access a backdoor left by the same or previous attackers, a hacker can directly access the retailer's systems and perform data theft, server hijacking, website defacement, and the launch of distributed denial of service (DDoS) attacks on other targets.

The patterns followed by hackers are revealing, and underscore the importance of heightened vigilance during the critical holiday season. As a rule, hackers often use peaks in legitimate behavior to obscure their own efforts, such as launching brute-force attacks involving automated credential tests at a time when the high volume of these guesses are less likely to attract notice. For example, attacks tend to spike on day 15 and day 30 of the month, when many consumers receive their paychecks; on weekends, when people shop on their days off; and most critically, during the ramped up sales promotions and gift-buying of the fourth quarter.

Ruining Hackers’ Holidays

There’s no silver bullet for e-commerce attacks; online retailers must develop comprehensive defensive strategies aligned with the types of threats they face. On an organizational level, merchants should integrate security tools into their DevOps processes to extend security across the cycle from development to operations, as well as leveraging automation for a faster response to real-time attacks. Monitoring is essential across both server instances and web app traffic to detect and block illicit activity.

It’s just as important to be able to interpret and act on monitoring data effectively. One key challenge for online retailers is to block attempted attacks without impeding legitimate customer traffic and jeopardizing their purchases. How can you tell whether repeated errors indicate a brute-force attack or simply a user who’s had a bit too much eggnog? It can come down to volume. Anyone can mis-key a credit card number once or twice, but 50 errors within a minute most likely indicates automated guessing. This is especially true if the account number itself has been entered correctly, but the card validation number takes repeated attempts, a probable sign that the hacker has a cache of stolen account numbers for which the card validation numbers aren't available. In that case, the “user” can be blocked with little risk of alienating a real customer.

As long as people shop online, hackers will target the retailers that serve them. E-commerce fraud will likely always be with us. However, by taking this threat seriously, and acting accordingly, merchants can minimize their losses and make the most of their opportunities this holiday season and throughout the year to come.

Zane Lackey is the co-founder and CSO at Signal Sciences, and the author of "Building a Modern Security Program" (O'Reilly Media). He serves on multiple advisory boards, including the National Technology Security Coalition, the Internet Bug Bounty Program, and the U.S. State Department-backed Open Technology Fund. Prior to co-founding Signal Sciences, Zane led a security team at the forefront of the DevOps/cloud shift as CISO of Etsy.