In the past few years it’s seemed like there has been a new widespread security breach every other week. High profile incidents such as Heartbleed and WannaCry and hacks of notable entities including Sony Pictures and the Democratic National Committee have brought cyber security to the front of people’s minds. The magnitude of Distributed Denial of Service (DDoS) attacks has risen with the increased number of devices connecting to the internet, and as more of the population engages with these devices the risk of sensitive information being taken advantage of continues to rise.
Website Security and Ecommerce
Bank accounts, credit card information, healthcare data, tax returns and personal identifying information are now regularly submitted online or stored in a network that could be vulnerable. Markets on the so-called “dark web” that sell stolen information can wreak havoc by enabling others to charge money to someone’s account or even steal their identity. Connected Internet of Things devices like fridges, home security systems and even cars can be taken over remotely, bringing severe consequences.
Of course, some of these examples point to the worst case situations. But they demonstrate that all Internet users need to be aware of the security of websites they visit, and websites themselves need to be increasingly aware of the security lapses they could face.
For the ecommerce industry, website security is a particularly important topic. Online retail stores are becoming more and more prevalent, with almost 400 billion dollars being spent online in the US alone. Pew Research found that 79% of American adults have used ecommerce sites to purchase books, clothes, makeup, and household essentials. Among people under the age of 30 that number is even higher: 90% have bought something online and 77% have used their mobile phone for an ecommerce purchase.
Ecommerce sites of all sizes are susceptible to attack because they process credit card information, email addresses, and passwords for user accounts. If not properly secured, credit card numbers can be taken and email/password combinations can be tried on other websites. In the following sections we will go through what security issues ecommerce sites face - download our full Guide to Website Security for Ecommerce Sites for more information on threats and how to protect your website.
Threats Posed to Ecommerce Websites
Known Vulnerabilities to Ecommerce Platforms
Any software you are using, including your ecommerce platform and extensions, will have certain vulnerabilities that are known to attackers. These could include ways to access your site through a backdoor, inject malicious JavaScript into a form to create new administrative accounts or takeover legitimate customer accounts, or inject other code to take over your database. Some of the most common vulnerabilities found in ecommerce sites include:
-
Cross Site Scripting: In this form of attack, an attacker will insert a JavaScript snippet on a vulnerable web page that to a browser looks like a normal script and is therefore executed. This can then perform a number of harmful actions such as accessing a user’s cookie information to impersonate them. This technique can also give attackers access to other information on the user’s computer and leave them vulnerable to phishing attempts or malware installation.
Although this form of attack may not be targeting the website itself, it is targeting your website’s users which can still impact your business. In 2016, one attack of this type impacted over 6,000 ecommerce websites by stealing customer credit card data. Even when those websites use a 3rd party payment processor or HTTPS encryption they were still vulnerable, and some did not patch the issue for months.
-
SQL Injection:
SQL injection can affect any website or web application using a SQL database, which includes ecommerce platforms such as Magento. In this type of attack a hacker can insert malicious SQL statements in a payload which will be included as part of a legitimate-seeming SQL inquiry. If the attacker gains access to the database they can create an administrative account for themselves, delete database entries, or view sensitive information.
Phishing Attacks
Phishing scams are often in the form of emails that look legitimate or like they come from someone you know, although phishing through phone calls also occurs. These scams usually include a link or direction to a page that if accessed will take over an email account or install malware on your computer that can steal personal information, access your microphone and camera, or log keystrokes.
Targeted phishing attacks can be very convincing, and if a company employee falls for one they could inadvertently give an attacker access to their administrative account and other information that poses a risk to your website and company.
Distributed Denial of Service or DDoS Attacks
A Denial of Service (DOS) or Distributed Denial of Service (DDoS) attack aims to take down your site by overwhelming servers with requests. In its distributed form, the attack will come from hundreds or thousands of IP addresses which usually have been compromised themselves and tricked into requesting your website over and over again. This attack type overloads your servers, slowing them down significantly or taking your site temporarily offline, preventing legitimate users from accessing your site or completing orders.
DDoS attacks are difficult to stop by simple IP blocking since they come from many sources, and those sources often look similar to your legitimate traffic. As more devices are connected to the Internet, DDoS attacks have grown both in prevalence and strength, meaning even websites with a large number of powerful servers are unable to withstand them.
High-profile ecommerce sites are susceptible to this type of attack, and smaller ecommerce sites may also be vulnerable if their web host or DNS provider is targeted: For example, in October 2016 DNS provider Dyn was targeted by a DDoS attack and thousands of websites were taken offline as a result.
Bad Bots Targeting Ecommerce
Bots are prevalent all over the Internet, and can be both good and bad. “Good” bots are used by search engine sites such as Google and Bing to crawl and index your site for their search results. You want your site to be visible to these bots so that when someone searches for keywords related to your site it will show up in the results.
However, there are also malicious bots which gather information from your website such as pricing data, hold products in carts without intending on buying them, buy up your inventory of a limited release to resell it at a higher price, or take over real accounts by guessing the passwords. Some bad bots can also access your database and gather a list of user account logins that can be resold later.
A recent report by Distil networks found that 97% of sites are hit with some sort of bad bots. For ecommerce sites, bad bots account for an average of 15.6% of a website’s traffic, with good bots accounting for 9.3% of traffic. Bots can be programmed to perform a wide range of activities, but here are the most common for ecommerce sites:
-
Price Scraping: If your site has unique pricing and product information, the chances are extremely high (around 97% according to Distil) that you will be hit by scraping bots. These bots collect pricing and product data and send it back to the bot-maker, who could be a competitor, so they can lower their prices and take sales away from you.
Scraping can also hurt SEO and the likelihood that potential customers find your product, as the scrapers may create duplicate content which search engine then take into account when ranking websites. This type of bot can be extremely hurtful if you are selling the same product as other websites and trying to price competitively.
-
Login Fraud: Bots can attempt to login using one of your real user’s credentials by guessing the password by rapidly going through a dictionary of words and number combinations (a brute-force approach), or by testing known credentials that have been leaked elsewhere. If bots are successful at logging in, they may not use the account information immediately, but sell the information to a third party.
If a purchase is made using a stolen account and stored credit card information it will compromise the trust your users have in your site and result in a loss of money if an order ships and you need to refund the customer. If admin accounts are compromised using these same tactics, you could be unwittingly giving away a larger list of account logins.
Bots can also create new accounts in order to test stolen credit card numbers. If bots are able to access an account by guessing the login, they can guess the expiration date and CVV number of stored credit cards and make a fraudulent purchase.
-
Holding Items: Because bots can act more quickly than human browsers, they are able to refresh pages many times over to check for sales or limited-release products. Bots can add items to a cart, limiting inventory for actual users who came to your site looking for a specific product. If the item has a high resale value, bots may purchase it and resell it at a higher price on a third party website such as eBay. Even if bots do not ultimately purchase the product, your actual visitors may abandon your site if it appears an item is out of stock, and when the bot releases the product your cart abandonment rate will go up.
-
Incorrect Analytics: A secondary effect of bad bot traffic is that it can significantly impact the analytics you track. Over 50% of bots can load JavaScript, which is the mechanism most analytics tools use to measure page views, bounce rate, conversion rate, and more. Since bots are imitating human behavior, they will be included in your analytics and can do harm to these important metrics, lowering your average conversion rate or convincing you to spend more money on advertising.
Bots can also make it falsely appear that one advertising campaign is working better than another, or in other ways encourage you to target specific keywords or interests which are unlikely to have good a good click through rate.
Man in the Middle Attacks
A man in the middle attack is when an attacker listens in on a user’s communication with your website. This could happen because a user is connected to an unsecure public wifi network, has been tricked into connecting into a vulnerable network, or because a hacker has targeted a specific network and gained unauthorized access to it. If the connection between the user and website is not encrypted, a man in the middle attack could see all of the pages a user is visiting, view emails they are sending, and intercept usernames, passwords, and credit card numbers.
Even if a website has a SSL/TLS certificate to encrypt data with the HTTPS protocol, there are a number of ways hackers can trick the user’s browser and gain access to unencrypted data. In addition, websites who only use HTTPS on certain pages (for example on the payment or login pages) are leaving their users more susceptible to this type of attack, as attackers could steal session cookies or other sensitive information when users browse an unsecured page on the same website after they have logged in.
Malware
Malware is the malicious software that attackers insert into your web files or pages once they have gained access to your site. Malware may be found on an individual’s computer if they have themselves fallen victim to a phishing attack or otherwise been compromised, or it may be inserted directly onto your website after a successful SQL injection or if administrative account access has been granted to a harmful entity.
Malware can also be installed on your site if you are on a server with other compromised websites in a cross-site contamination incident. Popular ecommerce platforms like Magento are particularly susceptible to widespread malware infections due to their prevalence in the market.
As with software, malware can perform an extremely wide range of activities, from turning your computer into a botnet that can be part of a DDoS attack, to stealing credit card and account information from your website users. One type of malware that targeted Magento sites was able to take credit card information and store it in images so that the attacker could easily access it without flags being raised.
Malware can also perform spam activities by linking to websites selling pharmaceutical or other goods, redirecting pages to other sites, inserting pop-up ads onto your site, or adding tags into the metadata of your site.
Protecting Your Ecommerce Website from Attack
The above represent some of the most common threats that can significantly harm your ecommerce business. For a reference book of these threats and additional information on how to protect your website, please download our free Guide to Website Security for Ecommerce Websites. You’ll get detailed information on securing your website through measures including:
- SSL certificates and HTTPS encryption
- PCI compliance
- Security patches
- Vulnerability scanning
- Web Application Firewalls
- Bot blockers
- Content Delivery Networks
Download the guide here. For more information on how Section can improve the security of your website, please contact us.
