As the pandemic shifted most shopping online, it has brought even more criminal activity with it. For example, retailers have suffered massive volumes of cyberattacks between 2019 and 2020, according to research from Akamai. The report notes while there were millions of cyberattacks overall, the retail industry was hit the hardest, taking the brunt of 90 percent of the attacks. The main reason attackers focus on retail is that they have found a way to easily monetize retail accounts. You might ask at this point, “What should I be focusing on?” This article will cover what criminals are after, and best practices for two common criminal tactics that lead to personal identifiable information (PII) theft and fraud, credential stuffing, and client-side attacks.
Criminals aren’t picky when it comes to targets. Anything that can be accessed could potentially be used in some way. Fraudulent purchases of merchandise and gift cards are obvious opportunities. However, retail and loyalty accounts contain a wealth of PII that can be collected and sold, as well as financial information like credit and debit cards, or loyalty points, which can be traded or sold.
According to a study from Juniper Research, e-commerce fraud was expected to top $20 billion in 2021, up 18 percent from $17.5 billion the previous year. A large portion of that fraud came from successful credential stuffing attacks. Credential stuffing uses previously stolen login credentials, which can be bought on the dark web, in an attempt to take over an account. Criminals use automated botnets to test credentials on websites to see if any are valid for that site. They can then sell the valid credentials or use them to take over accounts. This type of attack has skyrocketed since the start of the pandemic. In 2020, there were more than 193 billion credential-based attacks, according to Akamai's State of the Internet report. This was a dramatic increase from the 47.7 billion attacks observed in 2019. Retail was the most targeted industry, accounting for 64 percent of those credential-based attacks.
One way to cut down on fraud caused by credential-stuffing attacks is to stop botnets from testing the credentials. Stopping the attack at this stage prevents the account from being compromised and the criminals from stealing PII or performing fraudulent activity. Bot management solutions can detect and mitigate bot activity, but not all bot solutions are the same. Advanced bots can use proxies to mask their location and mimic human behavior. The most effective bot solutions have multiple layers of detections, including machine learning to examine human interactions like keyboard strokes and mouse movement.
When it comes to bot management best practices, the key is the right bot solution on all possible entry points into the application. Criminals don’t just focus on the main login endpoint. They will focus on any entry point into the application. Are there other pages later in the purchasing process where a user can log in? What about password reset and new account creation endpoints? Some logic in those pages can inadvertently validate credentials. Even customer service chatbots that are used to text customers in the application have been used by botnets to test login credentials. Protecting all critical endpoints and not just the obvious ones is key to protecting against credential stuffing attacks.
A more recent category of threats comes from the modern web application’s supply chain, which uses open-source components, third-party tools, and JavaScript. In client-side attacks, attackers have successfully compromised open source and third-party components to conduct payment skimming and other forms of infiltration at the end user’s browser to collect PII. These attacks avoid a company’s security tools because they come directly from third-party servers.
There are several security approaches to detect these types of attacks. Rigorous inspection of new and existing third-party partners ensures their tools and JavaScript are performing as expected. Reviewing open-source code for vulnerabilities helps ensure attackers can’t act on a known weakness. There are also tools that can monitor a browser’s behavior from the client-side to detect payment skimming and related threats. These steps taken together provide a layered approach that can prevent the use of a web application’s supply chain to attack an end user at the browser.
Credential-based attacks are expected to continue to rise in 2022, but making sure the right security is in place can dramatically lower account takeover fraud and protect customer information. Not only will ensuring customers have a secure online shopping experience allow retailers to maximize profits, but it will also help protect consumer trust.
Sean Flynn is security technology and strategy, director at Akamai, a content delivery network (CDN) services provider for media and software delivery, and cloud security solutions.
Related story: How to Protect Data Privacy and Build Customer Trust in the Digital World
Sean Flynn is Director of Security Strategy and Technology for Akamai Technologies. Currently he works with companies to ensure Akamai’s Security Vision aligns with and fits industry and customer needs. He also acts as a trainer for web and enterprise security for internal groups.
Sean has over 16 years of IT security experience working for networking and application security vendors. Sean joined Akamai in 2012, implementing Akamai security solutions for companies. He was hands-on, helping protect customers from active attacks by state-sponsored actors, hacktivists, and cyber criminals. He has consulted some of the largest customers in Finance, Commerce, and Healthcare on Akamai solutions, cloud security implementation, and security best practices.