Protecting Your Site Isn’t Enough Anymore: Injected Malware Has Retailers Reeling
For some, cybersecurity is a matter of faith; they deploy the latest and greatest security systems on their retail sites, and pray they don't get hacked. Others take a more scientific approach; they not only install security systems, but they also check their log files, system processes, and metrics like the amount of time visitors spend on their site and what they're doing there — i.e., checking for anomalies that could indicate hacker activities. The former believe that they're cyber secure, but are they really?
Shopping sites with advanced security systems — and whose log files, metrics, etc., indicate that those security systems appear to be in order — could still suffer the negative effects of malware, despite stringent security measures. A scam called affiliate injected malware could redirect (i.e., steal) customers off the sites they intended to buy from to alternate sites.
For the retailer, it's nothing less than outright robbery. It’s no different than a Target store associate standing inside a Walmart store and offering better deals to Walmart shoppers. And the poor experience consumers get when visiting the targeted site — the pop-up ads and other “gifts” provided by affiliate malware — is unlikely to encourage them to come back another time. So retailers lose out twice; they lose the specific sale that affiliate malware hijacked, and they're likely to lose a customer annoyed at the effects of the malware.
The affiliate injected malware gets installed not on the retail site itself, but on the customer's computer or device. This happens when they surf to retail site recognized by the malware. The malware hounds the consumer with pop-ups, unwanted ads from competitors, videos and other ploys designed to lure customers away from your site.
The worst part for retailers? They have no control over the affiliate malware. It’s not on their site so traditionally there has been nothing they could do about it. Customers often pick up this malware as applications or code piggybacked onto legitimate software or apps; often they're distributed by software networks that don't investigate the purpose of the malware. The effects of the malware are strictly on the customer's side of the internet, meaning that the retailer will see no change in their log files and metrics. The only effect the malware will have on the retailer is the drop in bottom line.
It's a far bigger problem than many realize as studies show that as many as a quarter of all online shoppers are “victims” of affiliate malware. The result is well over $1 billion in losses annually for online retailers. But if the malware is on the customer’s computer and not on the merchant's site, how can e-tailers protect themselves?
The best way is to take a scientific approach. If hackers can install malware on customers’ devices that use code to identify when to unleash the bad ads — when the customer arrives on the targeted site — retailers need to find a way to prevent that. One way to do that would be to install systems that could analyze site activity, checking to see if malware has been indeed activated. With that kind of technology backing them, retailers — even those that consider themselves cyber secure — can truly know that they're safe.
Ken Zweibel is the CEO of PageSeal, a provider of client-side malware protection.
Ken Zwiebel is General Manager at PerimeterX, a company that protects the world’s largest and most reputable websites and mobile applications from malicious activities, future-proofing digital businesses from automated bot attacks and client-side stealth attacks.
Zweibel was previously the CEO of PageSeal, a provider of client-side malware protection, acquired by PerimeterX in 2019.
