Cyber criminals witnessed 2020's unprecedented rush to online sales by businesses in retail and B2B verticals and were in lock-step, shifting their attacks to take advantage of the trend.

E-Commerce Attacks Rising Sharply as Businesses Move to Online Sales

If 2020 has done nothing, it has accelerated the importance and growth of e-commerce to the forefront for a large portion of the retail and product market vertical industries.

Businesses in retail and B2B verticals crushed by physical store closures rushed into online sales this year to recoup the staggering losses caused by lockdowns and social distancing restrictions. In some cases, organizations found themselves with no income for a period of time and had no choice but to expand quickly online. Cyber criminals witnessed this unprecedented migration and were in lock-step shifting their attacks to take advantage of the changing trend. “Card not present” fraud certainly became more prevalent this year as online sales began to grow.

Speed to market, while a market share winner much of the time, can also leave risk management and other IT controls awash in the wake of deployment speed. Cyber criminals attacked unpatched or insecure versions of content management systems used by e-commerce sites using a variety of tactics. Attacks came from many techniques including Malware, credential stuffing, phishing, and website exploitation.

Certainly, the most public e-commerce campaign over the past few quarters has been the “Magecart” web skimming attacks that inject “Java” code in e-commerce sites to steal credit card data. The TikTok craze has been one of the more popular lures this year with one campaign netting over $500,000 in e-commerce revenue through TT profiles distributing poisoned apps in their profiles.

Another major trend for e-commerce firms seeking to re-engage their brick and mortar customers in a digital way has been to monitor legitimate price reduction or coupon opportunities to customers and to use bot networks to automatically acquire the supply and sell for a profit on the open market. While not necessarily criminal activity, this severely restricts the broader customer base from the opportunity to receive the discount opportunities, while the business is still giving up the profit margin offered due to the discount.

On the Fintech side of the e-commerce sector, we saw an increase in “back of the house” attacks seeking to steal user credentials, and to also establish illegitimate remote access using more sophisticated and targeted code. This persistence shows a dedication to staying in place and developing a longer-term mining place in the compromised company. This is a departure from the megatrend of ransomware and its “Hit & Run” mentality, which has been highly profitable.

Sensitive Business Assets at Risk

Targeting the e-commerce sector for economic crime activity is on the rise primarily because of its recent growth and because of the speed of adoption by business without all the necessary safeguards in place.

In e-commerce environments where valuable PII is common, there continues to be a threat from Eastern European and other cyber actors who typically scour the internet looking for open systems to invade. The goals are typically the acquisition and resale of PII such as credit cards, PINs, card holder information, etc.

Ransomware is now a very viable standalone threat campaign for e-commerce given the richness of data within the environment and importance of it being working and highly available. We are able to track the increased interest in this area by watching the new and rising number of South American and other hacker attacks against e-commerce environments globally, and as these campaigns mature, they tend to make their way to north American organizations.

Getting Strategy Right

The Apollo strategy and roadmap development methodology creates exceptional focus on the business and links the value creating activities of the organization to the security priorities developed and deployed to maximize risk reduction impact and cost optimization.

The alignment of business-critical assets, such as e-commerce platform availability or customer PII, at the investment level brings hyper-focus to risk and investment trade-off choices that need to be evaluated. E-commerce environments have major cyber risks like many verticals, but less common to all verticals include the following.

Advanced Digital Transformation

While this is an overused concept, nowhere is this more real than in the e-commerce space given the changes that are happening in e-commerce platforms, the big data lakes, and the third-party partners. Legacy application interconnectivity is common in traditional e-commerce, and while this has many risks, the battleground seems to have shifted to customer platforms and payment gateways.

While the public facing sites are under attack, strikes seeking back-end persistent access are also on the rise which require an enterprise-wide security strategy to find and prioritize relevant company crown jewels in the short term.

In digital transformation, the goals of both enhancing technology and mining business rich data are equally important. E-commerce provides a rich set of customer data, behavior, and preference information. Good security plans consider the implication of the following.

Technology Enhancement Plan

As value increases between E-commerce data sources, ERP systems, and big data lakes, the architecture, system integration, data protection, access control, and system integrity, enterprises deploy must have a defined strategy to ensure the environment gets the appropriate protection during changing conditions.

Data Extraction and Movement Needs

In e-commerce, much of the created value is in the data extracted and analyzed in the organization’s big data engine. The movement of data to the lake and the creation of data governance and stewardship is critical to maintain the value for the company. The increasing role of data privacy and the security of individual PII requires detailed governance plans and systems to automate processes so the organization can scale and still meet regulatory obligations.

Skills and Capabilities Needed to Meet New and Future Operational States

Once the e-commerce is complete, often new security team capabilities are required to protect the organization, which interacts technologically differently than it did before. If the company has developed an online digital marketing capability or begun deploying mobile apps to reach their customers and consumers, defending these takes new skills other than internal data network. Evolving the cybersecurity program to ensure it has the skills needed to deliver today and tomorrow will increase the organization’s ability to be competitive and protect its valued assets.

Big Data

Linking enterprise e-commerce and security intelligence together to harness the power of the data and understanding the changing threat landscape can unlock business agility and allow the organization to take bolder risks. Good security is table stakes for competitive e-commerce firms today.

So, it’s not just mining the data for business advantage, it’s having a security program with a similar level of visionary understanding of the threats that face the organization wherever it does business.

Typical High Maturity Security Programs for Ecommerce Businesses

Ransomware Defense

At the end of the day, e-commerce sites need to be running to make the organization money, and ransomware attacks against e-commerce environments are on the rise.

One of the most prudent program expenditures an organization can invest in today is a robust ransomware defense program, including the technology, procedures, and preventative systems to keep the threat out. With that said, there is a developing range of obfuscation technologies that can drastically reduce the risk to traditionally high-cost remediation environments.

Security Architecture

Defining an architecture that both enables increased data flow intensity and delivers enhanced security needs is the role of e-commerce security architecture. E-commerce can be challenging due to the speed and velocity of data flow. Applying sound security architecture skills, assessments, and design principles is still possible and will deliver the greatest overall value to the organization as the e-commerce environment evolves and faces increased security threats.

Web Platform Vulnerability Management

The battleground in e-commerce is the customer interface point. Application coding, vulnerability management, platform security, fraud, account takeover, and security monitoring are all critical.
Account takeover and the associated fraud can be a reputation killer and drive up customer service and reputation issues. Site coding security can directly determine the ability to protect customer PII and business reputation. The ability to monitor changes in security risks in real time is critical for timely incident response.