E-COMMERCE CYBERSECURITY

ACID Technologies helps e-commerce businesses protect themselves by detecting the first signs of an impending cyberattack – as early as in its planning stage, and providing real-time, detailed alerts that enable the targeted businesses to implement effective preventive measures

The growing need for e-commerce cybersecurity

E-commerce sites are an attractive target for cybercriminals due to the vast amount of PII (personally identifiable information) they acquire, including the names, addresses, phone numbers, in some cases birth dates, and, of course, credit card information of consumers.

Greatly increased online shopping during the Covid-19 pandemic lockdowns – a 24% hike in 2020 – has made e-commerce websites an even more appealing target, as evidenced by a 300% increase in the number of attacks in less than a year from the start of the pandemic.
ECOMMERCE CYBERSECURITY

These sites remain attractive, as many consumers have changed their shopping habits and continue to do much more of their buying online than before the outbreak of the pandemic. The period leading up to holiday seasons presents a particular challenge, as sales soar.

Furthermore, the more prevalent use of alternative payment methods, such as digital wallets and BNPL (Buy-Now-Pay-Later), are creating new fraud risks, which must also be taken into consideration.

E-commerce cybersecurity is a necessity for e-commerce business owners

E-commerce sites continue to be relentlessly targeted by cybercriminals, undeterred by the new technologies some of these sites have added. They continue to try to find vulnerabilities to exploit in order to achieve their goal. When attacks are successful, they have the potential to cause heavy financial losses, as well as severe harm to reputation, which highlights the critical need of e-commerce businesses to ensure that they implement adequate authentication and data encryption measures.

The global cost of e-commerce fraud in 2023 is predicted to amount to       $48B

(Juniper Research, 2021)

An estimated 3% of e-commerce attacks, costing $6B, bypass security measures each year

(DUE)

Juniper Research, a market research, forecasting and consulting company, predicated that the cost incurred by merchants globally due to e-commerce fraud will increase from slightly more than US$ 41 billion in 2022 to more than US$ 48 billion in 2023.

DUE claims that as many as 3% of e-commerce attacks overcome the security measures implemented by companies, costing approximately US$ 6 billion a year.

Main threats addressed by ACID’s e-commerce cybersecurity solution

ACID protects its e-commerce clients from a diverse range of threats, including the following:

  • e-skimming: In this type of attack, the hacker injects a skimming code into the pages of the e-commerce site in which the credit cards are processed and steals the data in real-time.
  • Supply chain attacks: Supply chain attacks are becoming more common, with cybercriminals targeting the software supply chain in order to insert malicious code and access personal information and/or credit card data. They often do so by hiding their code in legitimate updates. A successful attack may impact thousands of victims.
  • Automated bots: These bots try to complete transactions using stolen credit card details. A 12-month analysis conducted by Imperva Research Labs reveals that in 2021, 57% of all cyberattacks targeting e-commerce websites were executed by bots, far above the rate in other industries (33%).
  • Credential stuffing attacks are also used against e-commerce websites. In these types of attacks, hackers who have already obtained credentials required to complete a transaction in a previous attack use the information to log into an e-commerce website. The two attacks are not necessarily related to one another; this is an attack exploiting an opportunity to use the same data for additional nefarious purposes. Credential stuffing is facilitated by the fact that many people – according to some sources, up to 70% of users – use the same password to log into several different websites. It should be noted that credential stuffing is difficult to distinguish from authentic user activity, as the credentials used in these attacks are legitimate user credentials, which makes the detection an even more complex task. DUE reports that 90% of global login traffic results from such attacks. The State of the Internet 2018 report issued by Akamai states that in May and June 2018 alone, 8.3 billion malicious login attempts were identified.
  • Ransomware attacks are not necessarily the first that come to mind in the context of e-commerce, as it is generally believed that e-commerce businesses are targeted for theft of personal and credit card data.
  • SQL injection attacks – in these types of attacks hackers attack the query submission forms in order to access the backend database, then proceed to corrupt it and collect data.
  • Cross-site scripting (XSS) attacks are attacks in which cybercriminals manipulate a vulnerable e-commerce website to that it returns malicious JavaScript to users. The execution of this action in the victim’s browser allows compromising their interaction with the application.
  • Phishing attacks are carried out also against e-commerce sites.
  • DDoS (Distributed Denial of Service) attacks on e-commerce sites are launched to disrupt operation, as in other types of websites.

Examples of e-commerce attacks that could have potentially been prevented with an effective e-commerce cybersecurity solution

X-Cart: In late 2022, a ransomware attack was perpetrated against the e-commerce platform X-Cart. The attack seems to have been caused by the exploitation of a vulnerability in a third-party software, through which X-Cart’s store hosting systems were accessed. According to the company, the attacker accessed and encrypted a small number of servers, affecting X-Cart stores running on the affected systems.

Acro: The Japanese beauty products e-commerce company announced in 2022 that it had sustained a data breach which potentially affected customers who had made purchases on its websites in a 15-month period between May 2020 and August 2021. As a result of the attack, the details of close to 104,000 payment cards used to purchase items on its Amplitude website, and more than 89,000 payment cards used to purchase goods on its Three Cosmetics website, were compromised. The data accessed by the attackers included the names of the cardholders, and the payment cards’ numbers, security codes and expiry dates.

Tupperware: In 2020, an e-skimming attack was perpetrated against the main website of Tupperware, a large multinational company based in the USA. The website is visited by approximately 1 million online customers each month. Some of the local websites the company operates in various countries around the world were also targeted. The attackers injected a payment card skimmer into the checkout page in order to steal credit card details. Although detected in March 2020, it is unclear when the attack was actually first launched.

Researchers were impressed at the cybercriminals’ skill in hiding the malicious code in a PNG file image for a FAQ icon, which, when clicked, loaded the fake payment form. However, they were surprised that the hackers did not create versions of the fake form in the different languages for the foreign websites.

The benefits of ACID’s e-commerce cybersecurity solution

ACID offers an exceptionally cost-effective solution that helps e-commerce site operators protect themselves from cyberattacks, keep their data safe, and potentially avoid serious financial implications, as well as harm to their reputation.

ACID deploys clusters of bots and implements advanced AI algorithms in order to detect the first signs of an attack in the clear, deep and dark web, as well as in multiple other sources, as early as in its initial planning phase. Once such signs are detected, ACID alerts the targeted company in real time, providing all the available information – including screenshots of threats detected on the dark web, which clients may be reluctant or incapable of accessing themselves. ACID continues to monitor the sources, using client-specific keywords in several languages, and provides updates with any additional data as it becomes available. While ACID regularly scans a very large number of sources, if the client wishes to add additional ones that are particularly relevant for it, this possibility is offered as well.

Additionally, ACID conducts widespread monitoring activities to detect any stolen data that may be offered for sale, indicating that a company has already been breached, to enable it to take appropriate action and stop the theft.

The valuable, continuously updated information provided by ACID in real time helps the targeted e-commerce businesses prepare and implement effective countermeasures, mitigate the potential impact of the attack, and possibly thwart it altogether.