What to Expect From Cyber Criminals This Holiday Season
The “cyber five” (the five-day period from Thanksgiving through Cyber Monday) kicks off the annual stress test of everything retailers have done to make the customer’s online shopping experience awesome. Along with the customers, however, comes criminals trying to hide in the high volume and take advantage of the fact that the network is in a change freeze. While there are several active threats focused on public-facing websites and APIs, this article will focus on the two that are top of mind for most retail cybersecurity teams: credential stuffing and a Magecart JavaScript type attack.
Credential stuffing is a fraud technique aimed at taking over customer accounts, and JavaScript attacks aim at stealing sensitive payment card data. To be sure, there are still many threats like DDoS, phishing, SQL attacks, scraping, ransomware and third-party risks that teams need to defend against, so each company needs to determine what the most important gaps are based on their situation.
First, we’ll look at credential stuffing, which is designed to compromise customers’ accounts. If someone uses the same user name and password (i.e., credentials) for multiple online accounts, then when one account is compromised, cyber criminals can use those credentials to gain access to all their other accounts. To make this scale, criminals have started using botnets to try multiple sets of compromised credentials against targeted company login pages. In Akamai’s 2019 State of the Internet / Security: Retail Attacks and API Traffic report, it saw that hackers directed credential abuse attempts at retail sites more than 10 billion times from May 2018 to December 2018, making retail the most targeted industry for these kinds of attacks.
Akamai took a further look at credential stuffing as it relates to the retail industry. It detected nearly 28 billion credential stuffing attempts between May 2018 and December 2018. This works out to more than 115 million attempts to compromise or log in to user accounts every single day. | Credit: 2019 State of the Internet / Security: Retail Attacks and API Traffic report by Akamai
The second issue is the Magecart JavaScript skimmer type of attack that steals personal and payment information. Today, many sites use JavaScript for user interface tags and to conduct analytics (often via third parties). Therefore, if the hacker can insert a malicious piece of code to run on the site along with the multitude of other scripts, they can exfiltrate data via images, XMLHttpRequest on API or web sockets. This can be harder to detect when many of the scripts are managed by a third party.
Now let’s look at what you can do to defend against these attacks. For credential stuffing, the key is to detect the behavior of the bot making the attempts to access accounts. The bots can then be blocked, and the team can investigate to determine if the account was compromised, and take actions to protect the customer if needed. Typically, companies deploy a web application firewall (WAF) to defend against this kind of attack. As many of the bots have gotten more sophisticated and try to emulate a person, it's important to determine what the capabilities of your protections are against the latest threats.
For JavaScript, formjacking, skimmer, scraping-style attacks, there are several best practices suggested by OWASP for coding/configuration management:
- use of server direct data layer;
- handling indirect requests;
- sandboxing/iframe isolation;
- sub-resource integrity;
- keeping JavaScript libraries updated; and
- marketing technology security.
The issue with many of these is they're manually intensive and don’t provide for situational awareness. Consider looking for a solution that's based on heuristic or behavior-based alerting and response.
Finally, as we look to the holiday season, be sure to exercise your incident response/crisis management processes and make sure everyone understands how being in a change freeze impacts them.
Steve Winterfeld is the senior director of security strategy at Akamai Technologies, a globally distributed intelligent edge platform.
Steve Winterfeld is the Senior Director of Security Strategy at Akamai Technologies, a globally distributed intelligent edge platform.
Before joining Akamai, he spent over 10 years building security programs to protect companies and their customers as Director of Incident Response and Threat Intelligence at Charles Schwab, Director of Cybersecurity for Nordstrom and CISO for Nordstrom bank and supporting national defense efforts at Northrop Grumman/TASC. Now he is focused on being the voice of the customer for Akamai’s security vision and helping CISOs solve their most pressing issues.
