How to protect your online store from hackers?
February 01, 2023
Table of Contents:
Is it possible to hack into an eCommerce site? The answer is unequivocal: yes. The field of eCommerce came under the radar of hackers several years ago, and during the pandemic shopping shift to online mode, cyberattacks have increased in frequency. How do you protect your online business from the threats of the digital age?
A glimpse into history
Hackers have been attacking online stores for years and masterfully covering their tracks. In 2018, Magneto IT Solutions analysts reported that 43% of cyberattacks targeted small companies. 54% of organizations have been hit by hacking attacks. 60% of firms that encountered cybercriminals shut down within six months. Only 38% of businesses worldwide were able to stand up to hackers. And an Accenture Security report indicated that damage from virus attacks cost global businesses $2,613,952, 11% more than in 2017. Web applications were mostly in the risk zone.
In 2019, according to Risk Based Security, hackers orchestrated massive data breaches to steal 4.1 billion account credentials. At the same time, 85% of organizations experienced phishing and social engineering. And while in 2018 they feared an external enemy, in 2019 the attacks were carried out by insiders - employees of the organization who "leaked" information for money or to get back at management.
For example, KnowBe4 conducted a survey among 600 e-commerce organizations. Seventy-six percent of respondents indicated that the cybercrime threat comes from insiders.
The same year saw powerful ransomware attacks. Professional services, such as lawyers and certified financial advisors (22.4%), software producers (17.2%) and representatives of the healthcare industry (10.3%) were in the risk zone. The reason for hacking is the lack of technical readiness of businesses to repel cyber attacks and lack of understanding of why they need to make data backups. It is said in the Coveware report.
The pandemic has taken its toll on business. Merchants and consumers have moved online, and as a result, e-commerce's share of the global retail market has grown from 14% (2019) to 17% (2020), according to a report from UNCTAD and eTrade.
But the prospects of eCommerce have attracted not only entrepreneurs, but also cybercriminals. And no wonder: sales in this sphere reached $3.354 trillion in 2019, and $4.28 trillion in 2020, as Statista demonstrates. So hackers quickly realized that by hacking into online shopping sites, they could gain access to an almost inexhaustible financial source. At the same time, not only corporations, but also small businesses were at risk.
The reason is simple - according to Narvar, 56% of customers order from at least one new store during a pandemic. That means, from the hackers' point of view, finances are pouring into the development of every chain store, and cybercriminals have something to gain.
How are things this year? eMarketer expects e-commerce sales to reach $843.15 billion by the end of 2021 in the U.S. alone. Cyberpion conducted audits of U.S. online firms and concluded that 83% of the test subjects contain vulnerabilities, which means that cybercriminals will have no problem cracking them. Cybervore tells us.
Many online retailers try to protect corporate information in cloud-based tools. But SaaS applications such as QuickBooks and Trello are also vulnerable to hacking. And eCommerce platforms like Shopify and BigCommerce don't guarantee complete data security. And free eCommerce templates (let's say, WooCommerce based on WordPress) even suggest that security plugins need to be installed if entrepreneurs want to protect themselves from hackers. But unfortunately, not all online business players turned out to be ready for the demands of the era. And many businessmen are in the business of commerce, product release, distribution - and don't pay proper attention to site information security. And cybercriminals, knowing this, attack even more seriously.
What do hackers need?
- personal data of clients,
- financial information of the organization,
- user names and account accesses.
Why are e-commerce representatives interested in cybercriminals? There are several reasons.
- Financial motivation is, of course, the strongest. Introducing a malicious code on a purchase page allows the money for the product to be transferred to the attackers' account.
- But online fraud also has an indirect benefit for criminals. If a hacker breaks into a site and steals the database, it is possible to send fake emails to brand customers with an offer to download a file or follow a link, etc. Often, having done this, the user, unknowingly, may give his personal data to hackers, including payment data: credit card details, login passwords from the bank account (in the case of filling out "fake" forms on the site).
- Scammers can also hack into a personal account to use it to send fake emails. Alternatively, criminals register under the victim's email account on shopping platforms - and conduct their scams on behalf of a person who knows nothing about it. For example, scammers might put an item up for sale, customers pay but don't receive the products. And when they contact the support service, it will be the user whose email was hacked earlier, but was mentioned in the registration. In the meantime, the hacker himself is long gone.
- Finally, many e-commerce players use the online banking tool PayPal. Hackers know that huge amounts of money are hidden in the accounts. They pick a victim, send false information that the PayPal administration has deemed the account of the online store owner suspicious. In order to unblock the profile (which is, in fact, perfectly fine), the user has to follow a link. Needless to say, after doing what was asked of him, the victim voluntarily transfers access to the account to the fraudsters. And they dispose of other people's funds as they please.
Cyberattacks have a huge impact on eCommerce businesses. First, to protect yourself, you have to spend huge sums on a cybersecurity department and penetration testers. Also, if information is leaked, it has to be reported to customers and compensated. In addition, if a company is a victim of ransomware, you have to pay a ransom in exchange for valuable information or to unlock the system. Sophos, in particular, conducted a study and found:
- eCommerce sites specializing in retail and education faced blackmail that resulted in a total payout of more than $1.97 million in 2020;
- 54% of organizations reported that cybercriminals successfully encrypted their data;
- 32% said they could not unlock access to the databases and system on their own - so they had to pay a ransom;
- But even those who went along with the extortionists recovered only 67% of the information, a third remained out of reach.
Organizations' reputations are at risk because of cyberattacks. When customers and suppliers find out about a hacking attack on a brand, they feel their data is not safe. Target, for example, described how its reputation was shaken after a cyber leak in 2013. Fraudsters accessed the credit card information of 40 million customers. Target spent $18.5 million to restore the system.
Companies that fall victim to cybercriminals also experience a short-term drop in the market value of a product. For example, a Comparitech study analyzed 40 cases of data leaks from 34 organizations on the New York Stock Exchange. As it turned out, the share price of "infected" brands fell by an average of 3.5%.
Because of cybercrime, intellectual property in eCommerce - product design, technology, marketing strategies - suffers. At the same time, many copyright objects are stored in cloud servers, which are also not properly protected from hackers. In particular, 30% of U.S. eCommerce companies said that for 10 years their Chinese partners "borrow" what rightfully belongs to business in the U.S..
The following types of cybercrime are most common in e-commerce:
- financial fraud - theft of personal data (passwords, IDs, bank card numbers and their use for the needs of fraudsters);
- A DDoSattack is a hacker attack, bombarding a network with traffic that it cannot handle, in order to bring the system to failure;
- man-in-the-middleattack - implies that a hacker secretly invades the communication space of two parties, interrupts an existing conversation or data transfer, and, entering the middle of the "chain", alternately pretends to be one and other participant in the data exchange;
- malicious bots - mimic organic traffic passing through web applications, so that it looks like real users are interacting;
- viruses are a type of software designed to harm a computer system;
- phishing scams - a phishing scammer calls or emails you, pretending to be a bank, internet service provider or any other official company, and tricks you into giving out personal information (bank account numbers, passwords and PIN codes);
- Web-skimming - cybercriminals add virus code to the site of an online store (usually on the payment page), through third-party applications, resulting in stolen credit card information and personal user data.
However, the latter three types are often part of other attacks. For example, financial fraud is perpetrated via web scams, and in a middleman attack, criminals use phishing emails.
Let's look at the signs and consequences of major cybercrimes, as well as methods to combat hackers.
So, how do you know if you are a victim of someone else's machinations? There are several signs:
- you receive notifications when you try to log in to your bank account, even though you didn't do it;
- you received a message asking for your Apple ID (because it is by far the most secure storage of personal user data);
- you received a receipt for medical services (alas, manipulating other people's health is a favorite subject for hackers);
- you received a message that your loan was denied, even though you didn't plan to borrow money from the bank;
- Collectors call you and demand your money back, even though you definitely did not take any loans.
How to prevent the theft of funds?
It is important to observe basic security measures: a strong random password, licensed software.
In addition, you must choose an e-commerce platform that meets a high standard of security. Namely, it includes encrypted payment gateways (the system verifies customer data before conducting a transaction), an SSL certificate (a cryptographic protocol capable of ensuring secure Internet connections), and authentication for both online store owners and customers.
Also, secure eCommerce platforms tend to update automatically. But if they don't, merchants should be on the lookout - and download patches and updates themselves if they go to market.
The "bring system to crash" attack targets online shopping sites. The goal is to send such an amount of traffic to the server or network that the system simply can't process, and a crash will occur. Thus, the site becomes unavailable, or the user cannot load the page, thinking that he has problems with the Internet connection.
Malicious traffic consists of incoming messages, requests or fake packets that literally "demand" to connect to the site.
In some cases, hackers demand that site owners pay a ransom in cryptocurrency. Otherwise, the DDoS attack will not stop.
Owners of online stores often do not realize that they are victims of an attack. They think that the site "went down" or the network connection was interrupted. And when they discover DDoS, it's too late.
Therefore, it is important to contact a specialist immediately if you notice one of these signs.
- The IP address generates more requests per second than usual.
- There is a 503 error on the site.
- The TTL on the ping request shows that the time is up.
- The connection slows down.
- Analysis of the logs shows a large spike in traffic.
How to stop a DDoS attack?
Clearly, the best battle is the one that didn't happen. So you need to take some measures to avoid DDoS attacks.
- Protect the domain name of your online store by registering it.
- Make sure that contact information is available to service providers and customers.
- Ensure real-time monitoring of site availability to track the beginning of a DDoS attack.
- Remember that hackers are more likely to target the separation of critical online services (such as email) from other network services (such as web hosting).
- Prepare a static version of the site that requires minimal support and bandwidth to keep the service viable in the event of an attack.
- Take advantage of cloud hosting from leading providers in the industry with high bandwidth and content delivery networks that cache non-dynamic online shopping sites.
Usually the intermediary attack on the online store occurs in two scenarios.
1. In the absence of HTTPS on the site, the hacker intercepts the data transfer between the client and the server. Tricking the client into thinking that it is still communicating with the server and so on. At this time, the cybercriminal installs a sniffer to analyze the network traffic. Once the user has logged on to the site, the hacker accesses user data and redirects them to a fake portal, which imitates a real online store. It is on the hacker's platform that valuable information is intercepted.
2. The hacker invades the conversation by going through individual segments of the discussion. The hacker launches a fake chat service, e.g. on a payment execution page. Pretends to be a bank or payment system and starts a conversation with the potential victim. And that is not all - the criminal pretends to be a real user who now wants to carry out a transaction in an online store, contacts the chat room of the payment system and receives the necessary information to invade the user's account.
The most famous example of such an attack took place in 2006, when the AT&T DSL site was attacked by hackers. Fraudsters began sending emails to customers saying that their cards could not be charged because the bank had not provided the necessary information. The emails looked realistic enough and included the order number and the last four digits of the card. The recipients were redirected to a fake site that offered to "update" the card data by providing more information - social security number and date of birth. Those users who followed the redirect gave personal data to the hackers.
How do you deal with a mediator's attack?
Make it a rule to use a virtual private network. A VPN will hide your IP address by routing traffic through a special server, and it will also encrypt the information sent over the network. Let this measure may not be able to completely protect you from an intermediary attack. But it is likely that cybercriminals will want to find a victim who is easier to hack.
To attack an intermediary, scammers often use redirects - they transfer the victim to a fake site and steal personal data from the unsuspecting user. Therefore, it is important to watch whether the site you are being directed to is secure - whether it contains https:// instead of an http connection. Also, it's a good idea to manually type the desired site into the address bar rather than relying on the link you've been sent. Sure, it takes longer, but it saves you effort in the long run.
Don't discuss work issues while connected to public Wi-Fi. An insecure connection can easily be hacked, intercepting your most valuable information.
Update your browsers to the latest versions, or better yet, use private messengers and browsers. Pay attention to the notification in your browser that the connection is not secure and you should not go to the site.
Be aware of the links and emails you open. Carefully check the sender's email, and better check with the user personally to find out what was sent to you and why. If it's an official letter (e.g. from PayPal offering to unblock your account, or from eBay offering a 99% discount), write to the support service to find out if you are really being asked to click a link or download an attachment.
Install DNSSEC, a set of IETF protocol extensions that can minimize attacks in which a hacker replaces a DNS address when domain names are resolved.
What are the dangers of bots?
According to DataDome, 30% of online traffic is accounted for by bots, which can degrade the online store, make the site "crash" and steal customers' personal data. So how do bots manifest themselves in e-commerce?
- Bots choose items in the online store, add the item to the cart, but don't complete the transaction. At the same time, real shoppers see a notification that the products have run out. To cope with such a situation, online store owners limit the time users can keep things in the cart - and the number of times an item is added.
- More advanced bots buy limited-edition items and sell them at a higher price. Let's say, on the day a product is released, the bot uses its computer power to buy as many items of the same type as possible. As a result, people who plan to buy such a product receive an "out of stock" notification, and those who still want to buy the product pay exorbitant prices to the bots. Such an attack is not easy to deal with. But modern monitoring tools allow you to track bots around the clock - and protect users from the devious machinations of online scammers.
- Bot activity can also result in a Layer 7 DDoS attack - overloading certain infrastructure elements in a web application server. The target of such an attack is the OSI (network protocol stack) model. Again, the only way to protect yourself is to constantly monitor site activity and eliminate bots as the problem arises.
Cybercriminal technology does not stand still. Many hackers are targeting e-commerce, which is where colossal investments are being made. But by resorting to security measures, the owners of online stores are able to protect their business. It is extremely important to encrypt the data that flows between the company's web server and the customer's site. To do this, they usually implement an SSL certificate that protects consumers during online payments. Also, you should not store super-confidential information on the server, especially customers' credit card data. At least, that's what the PCI security standard suggests.
To protect yourself from attacks, you can constantly monitor and test your system for vulnerabilities. And if you are afraid of Trojan viruses, the best solution is to install a firewall. This network layer sends notifications when there is suspicious activity on the server.
Finally, it is important to implement additional layers of protection on the pages of the online store, which are responsible for the registration process of the buyer, the contact form and requests (search).
Need to check positions on Google? The answer is here:
Get 300 checks per month absolutely FREE!
No credit card needed. No strings attached. 👍