E-COMMERCE CYBERSECURITY

Ecommerce Cybersecurity

ACID Technologies helps e-commerce businesses protect themselves by detecting the first signs of an impending cyberattack – as early as in its planning stage, and providing real-time, detailed alerts that enable the targeted businesses to implement effective preventive measures

ACID Technologies provides e-commerce businesses with 24/7/365 dark web monitoring services, while also continuously monitoring the deep web and multiple additional sources. When detecting a threat, ACID sends real-time, actionable alerts with all available information, to enable the targeted business to effectively respond to the threat, mitigate its harmful impact, and potentially foil it altogether.

The growing need for e-commerce cybersecurity

E-commerce sites are an attractive target for cybercriminals due to the vast amount of PII (personally identifiable information) they acquire, including the names, addresses, phone numbers, in some cases birth dates, and, of course, credit card information of consumers.

Greatly increased online shopping during the Covid-19 pandemic lockdowns – a 24% hike in 2020 – has made e-commerce websites an even more appealing target, as evidenced by a 300% increase in the number of attacks in less than a year from the start of the pandemic.
ECOMMERCE CYBERSECURITY

These sites remain attractive, as many consumers have changed their shopping habits and continue to do much more of their buying online than before the outbreak of the pandemic. The period leading up to holiday seasons presents a particular challenge, as sales soar.

Furthermore, the more prevalent use of alternative payment methods, such as digital wallets and BNPL (Buy-Now-Pay-Later), are creating new fraud risks, which must also be taken into consideration.

E-commerce cybersecurity is a necessity for e-commerce business owners

E-commerce sites continue to be relentlessly targeted by cybercriminals, undeterred by the new technologies some of these sites have added. They continue to try to find vulnerabilities to exploit in order to achieve their goal. When attacks are successful, they have the potential to cause heavy financial losses, as well as severe harm to reputation, which highlights the critical need of e-commerce businesses to ensure that they implement adequate authentication and data encryption measures.

The global cost of e-commerce fraud in 2023 is predicted to amount to       $48B

(Juniper Research, 2021)

An estimated 3% of e-commerce attacks, costing $6B, bypass security measures each year

(DUE)

Juniper Research, a market research, forecasting and consulting company, predicated that the cost incurred by merchants globally due to e-commerce fraud will increase from slightly more than US$ 41 billion in 2022 to more than US$ 48 billion in 2023.

DUE claims that as many as 3% of e-commerce attacks overcome the security measures implemented by companies, costing approximately US$ 6 billion a year.

Main threats addressed by ACID’s e-commerce cybersecurity solution

ACID protects its e-commerce clients from a diverse range of threats, including the following:

  • e-skimming: In this type of attack, the hacker injects a skimming code into the pages of the e-commerce site in which the credit cards are processed and steals the data in real-time.
  • Supply chain attacks: Supply chain attacks are becoming more common, with cybercriminals targeting the software supply chain in order to insert malicious code and access personal information and/or credit card data. They often do so by hiding their code in legitimate updates. A successful attack may impact thousands of victims.
  • Automated bots: These bots try to complete transactions using stolen credit card details. A 12-month analysis conducted by Imperva Research Labs reveals that in 2021, 57% of all cyberattacks targeting e-commerce websites were executed by bots, far above the rate in other industries (33%).
  • Credential stuffing attacks are also used against e-commerce websites. In these types of attacks, hackers who have already obtained credentials required to complete a transaction in a previous attack use the information to log into an e-commerce website. The two attacks are not necessarily related to one another; this is an attack exploiting an opportunity to use the same data for additional nefarious purposes. Credential stuffing is facilitated by the fact that many people – according to some sources, up to 70% of users – use the same password to log into several different websites. It should be noted that credential stuffing is difficult to distinguish from authentic user activity, as the credentials used in these attacks are legitimate user credentials, which makes the detection an even more complex task. DUE reports that 90% of global login traffic results from such attacks. The State of the Internet 2018 report issued by Akamai states that in May and June 2018 alone, 8.3 billion malicious login attempts were identified.
  • Ransomware attacks are not necessarily the first that come to mind in the context of e-commerce, as it is generally believed that e-commerce businesses are targeted for theft of personal and credit card data.
  • SQL injection attacks – in these types of attacks hackers attack the query submission forms in order to access the backend database, then proceed to corrupt it and collect data.
  • Cross-site scripting (XSS) attacks are attacks in which cybercriminals manipulate a vulnerable e-commerce website to that it returns malicious JavaScript to users. The execution of this action in the victim’s browser allows compromising their interaction with the application.
  • Phishing attacks are carried out also against e-commerce sites.
  • DDoS (Distributed Denial of Service) attacks on e-commerce sites are launched to disrupt operation, as in other types of websites.

Examples of e-commerce attacks that could have potentially been prevented with an effective e-commerce cybersecurity solution

X-Cart: In late 2022, a ransomware attack was perpetrated against the e-commerce platform X-Cart. The attack seems to have been caused by the exploitation of a vulnerability in a third-party software, through which X-Cart’s store hosting systems were accessed. According to the company, the attacker accessed and encrypted a small number of servers, affecting X-Cart stores running on the affected systems.

Acro: The Japanese beauty products e-commerce company announced in 2022 that it had sustained a data breach which potentially affected customers who had made purchases on its websites in a 15-month period between May 2020 and August 2021. As a result of the attack, the details of close to 104,000 payment cards used to purchase items on its Amplitude website, and more than 89,000 payment cards used to purchase goods on its Three Cosmetics website, were compromised. The data accessed by the attackers included the names of the cardholders, and the payment cards’ numbers, security codes and expiry dates.

Tupperware: In 2020, an e-skimming attack was perpetrated against the main website of Tupperware, a large multinational company based in the USA. The website is visited by approximately 1 million online customers each month. Some of the local websites the company operates in various countries around the world were also targeted. The attackers injected a payment card skimmer into the checkout page in order to steal credit card details. Although detected in March 2020, it is unclear when the attack was actually first launched.

Researchers were impressed at the cybercriminals’ skill in hiding the malicious code in a PNG file image for a FAQ icon, which, when clicked, loaded the fake payment form. However, they were surprised that the hackers did not create versions of the fake form in the different languages for the foreign websites.

The benefits of ACID’s e-commerce cybersecurity solution

ACID offers an exceptionally cost-effective solution that helps e-commerce site operators protect themselves from cyberattacks, keep their data safe, and potentially avoid serious financial implications, as well as harm to their reputation.

ACID deploys clusters of bots and implements advanced AI algorithms in order to detect the first signs of an attack in the clear, deep and dark web, as well as in multiple other sources, as early as in its initial planning phase. Once such signs are detected, ACID alerts the targeted company in real time, providing all the available information – including screenshots of threats detected on the dark web, which clients may be reluctant or incapable of accessing themselves. ACID continues to monitor the sources, using client-specific keywords in several languages, and provides updates with any additional data as it becomes available. While ACID regularly scans a very large number of sources, if the client wishes to add additional ones that are particularly relevant for it, this possibility is offered as well.

Additionally, ACID conducts widespread monitoring activities to detect any stolen data that may be offered for sale, indicating that a company has already been breached, to enable it to take appropriate action and stop the theft.

The valuable, continuously updated information provided by ACID in real time helps the targeted e-commerce businesses prepare and implement effective countermeasures, mitigate the potential impact of the attack, and possibly thwart it altogether.

Online shopping is continuing its upward trend, after gaining a significant boost during the Covid-19 pandemic. The following statistics, reported by SellerCommerce, illustrate this:

More than 2.7 billion people, the equivalent of over 33% of the world’s population, shop online, and 34% do so at least once a week. They are free to choose from more than 26.6 million online stores operating globally; more than half of online shoppers turn to international sites. E-commerce sales are expected to exceed $6.3 trillion in 2024, with 20.1% of retail purchases taking place online, and are projected to reach 22.6% by 2027.

With e-commerce so prevalent, and with its wealth of sensitive customer data, including personal information, credit card numbers, and financial details, it is no wonder that cybercriminals are increasingly targeting e-commerce businesses. This data, if stolen, can be sold on the dark web and used to commit identity theft and launch phishing campaigns. Even one successful attack can yield millions of records.

Customer trust and loyalty are essential to a thriving e-commerce business. The loss of sensitive data as a result of a security breach will have a negative impact and result in financial loss to the business, and potentially, to the customer as well.

Furthermore, e-commerce businesses are required to operate in full compliance with data protection laws and regulations. Failure to do so places them at risk of heavy penalties.

The main laws and regulations applicable to e-commerce businesses serving customers in the USA and Europe are:

  • The European General Data Protection Regulation (GDPR), which governs the collection, storage and processing of data, and is considered by many as setting a global standard. In general terms, the GDPR deals with data protection, and is relevant to e-commerce businesses in light of the vast amount of sensitive information they hold. One of its main principles is that personal data must be processed “lawfully, fairly, and transparently.” This means that e-commerce businesses are obligated to collect such information only after having received the informed consent of the users, and also provide them with the option of requesting that their personal data, which had been collected by the business, be deleted upon request.

Noncompliance with the GDPR can result in devastating penalties that are potentially lethal to an e-commerce business: Up to €20 million, or 4% of the global annual turnover – the higher of the two.

  • The California Consumer Privacy Act of 2018 (CCPA), which gives consumers more control over the personal information that businesses collect about them, and the CCPA regulations, which provide guidance on the law’s implementation. The law applies to any business that collects personal information from California residents, which has 100,000 or more customers and a minimum of $25 million in annual gross revenue. It includes:
  • Consumers’ right to know about the personal information a business collects about them and how it is used and shared
  • The right to delete personal information collected from them (with some exceptions)
  • The right to opt-out of the sale or sharing of their personal information, and
  • The right to non-discrimination for exercising their CCPA rights.

A later amendment added new privacy protections, which came into effect on January 1, 2023, including:

  • The right to correct inaccurate personal information that a business has about consumers, and
  • The right to limit the use and disclosure of sensitive personal information collected about them.

Civil penalties of up to $7,500 can be imposed on businesses found to have intentionally violated the CCPA for each violation. The maximum fine for other violations is $2500 per violation.

To operate successfully, the e-commerce sector must overcome a variety of threats:

  • Malware – which includes software used to breach a targeted organization’s system, steal sensitive data, cause disruption, inject viruses, etc.
  • Phishing and social engineering attacks – phishing attacks are becoming increasingly sophisticated, more personalized, and harder to identify by untrained persons. A new and concerning trend is vishing – or voice phishing, in which the perpetrators impersonate a member of the company using deep fake technology and trick them into disclosing sensitive information.
  • Credential stuffing – in this type of attack, cybercriminals use stolen account credentials to access user accounts. The risk involved is amplified when the criminals use bots to gain unauthorized access to the e-commerce sites of other businesses.
  • Megacart attack – in which malicious JavaScript-based code is injected into the e-commerce website’s checkout page with the aim of stealing valuable information, for example, credentials and billing addresses of customers. Megacart attacks are considered as particularly severe for e-commerce businesses.
  • Distributed Denial of Service (DDoS) – in which a targeted website is overwhelmed with fake traffic, making access for legitimate users impossible.
  • Application Programming Interface (API) abuse – the exploitation of APIs by cybercriminals impairs not only the user experience, but also the security of the platform and the protection of data.
  • Exploitation of Internet of Things (IoT) vulnerabilities – following the introduction of wearable devices and other IoT devices, consumers now interact with e-commerce platforms differently than before. If these devices are not sufficiently secure, they are vulnerable to hacking.
  • Supply chain attacks – as e-commerce businesses rely on external providers for a variety of services, security gaps in the providers’ systems also place the e-commerce business itself at risk.
  • Insider threats – authorized users who are in fact malicious actors. These can be, for example, employees who feel that they are being treated unfairly or have been unfairly terminated (and whose login credentials have not been deleted from the system). They therefore bear a grudge and are out to exact revenge and/or line their pockets. Malicious actors might also be motivated by financial gain. They access the system to steal sensitive data like trade secrets, client names or marketing plans at the request of well-paying competitors.
  • Cryptojacking – cybercriminals are increasingly targeting e-commerce websites to carry out cryptojacking attacks, in which they inject malicious code in order to covertly use the victim’s computer power to generate cryptocurrency.

ACID helps e-commerce businesses maintain business continuity, preserve their customers’ trust and build customer loyalty.
Clusters of robots are deployed and sophisticated algorithms implemented to continuously monitor the dark web and numerous additional sources in order to detect signs of impending attacks while still in their planning stage, attacks that are in progress, and leaked data indicating a breach.
Client-specific keywords are used, and language/s are chosen as relevant, to provide optimal results. Once a threat is detected, ACID sends real-time alerts to the targeted e-commerce business, to enable it to implement countermeasures to diminish the effects of the attack. In some cases, the real-time alerts and precise information enable the targeted business to thwart the attack before it is actually launched.