The holiday shopping season is upon us! With the holidays fast approaching, we are already seeing special offers and sales popping up online. And when you throw COVID-19 into the mix, we can expect an unusual shopping season.
Social distancing has made consumers rethink their shopping habits, and what was once done in-store has moved into the cyber arena. In fact, there has been an increase of about 32% in eCommerce growth during the pandemic.
With December just around the corner, we can expect these figures to rise even higher. Even if all lockdowns were lifted during the holiday season, people are still hesitant to go out and mingle with strangers. This is one of many reasons why we can expect an even larger conversion to online shopping. Even major retail stores like Walmart are realizing that this year will not be the same, and will be closing down on Black Friday—one of the biggest shopping days of the year.
For most online retailers, the pandemic (although obviously a tragic situation overall) has had a positive effect on their businesses. But as always, there are cybercriminals trying to take advantage of this situation. Ecommerce sites must be more vigilant than ever to protect themselves.
Let’s review the most serious threats that will occur this shopping season.
DDoS (Distributed Denial of Service)
DDoS extortion is a favorite tactic of cybercriminals. Their threats are straightforward: “Pay us a ransom, or we will take your site offline until you do. Meanwhile, you’ll lose a massive amount of revenue.”
Historically, this attack is the most effective, and therefore is waged the most frequently, during the holiday shopping season. Now that even more shopping activity is moving online due to the pandemic, we can expect hackers to attack online retailers more vigorously than ever.
Credit Card Fraud
This is a common threat, especially during the holiday season. Hackers use a variety of methods to obtain stolen card numbers. Later, the numbers are used fraudulently, which results in lost revenue and chargebacks to the unfortunate merchant.
To steal card data, bots scan for vulnerabilities within retailers and other sites that process payments. When a vulnerability is found, the hacker breaches the site and steals the data. One successful attack can produce a windfall of cards: thousands, or even tens of thousands of active numbers.
The scale of online credit card abuse is illustrated by the prevalence of “card not present” fraud. This is growing, thanks in part to the rise of EMV chip cards. EMV makes physical card fraud more difficult, which discourages criminals from monetizing stolen numbers by printing physical cards. Thus, more criminals are moving online to monetize their stolen numbers.
Gift Card Fraud
Criminals steal gift card numbers by using similar methods as credit card fraud; they also use bots to stuff possible numbers into applications until valid ones are found. Validated card numbers are used to purchase goods, or are sold for cash through various online services. Criminals can use similar methods to perform coupon code discovery; while not as outright fraudulent as the above, it still has a direct impact on revenue.
Bots also use credential stuffing (see Credential Attacks, below) to take over loyalty/reward accounts, and drain their balances—potentially extracting funds from customers’ linked debit cards.
Valid user credentials (e.g., sets of usernames and passwords) are highly coveted commodities on the dark web. Hackers discover credentials by sending out bots to wage brute-force attacks; the bots attempt to gain access to a web application by trying every possible combination of letters, numbers, and symbols, to see which combinations work. Or, they steal credential sets (personal identification data, account logins, and passwords, contact data, etc.) in massive data breaches.
Valid credentials can then be used in a variety of cyberattacks, and can also be sold in illicit marketplaces for others to use. Credentials can allow attackers to take over the affected accounts within the targeted web application. Another common attack is to use bots to “stuff” the credentials into the login pages of many other web applications (especially high-value targets like bank websites, payment providers, and so on). Unfortunately, many people still use the same credentials across a variety of websites. Therefore, credential stuffing allows an attacker to leverage a single data breach into the successful takeover of multiple accounts across different websites.
Web applications that offer online purchasing or reservations are vulnerable to inventory hoarding (a.k.a. “Denial of Inventory”) when hostile bots make inventory unavailable to legitimate customers. For example, inventory-denial bots attack retail sites by adding products to shopping carts, but never complete the purchases.
Scraping and Data Theft
Scraper bots steal data from online sources. Retail sites contain prices and other product data which, when stolen, can destroy a competitive advantage. Other forms of data, such as customer reviews, are also commonly stolen and published elsewhere, reducing the uniqueness and appeal of the retailer that generated them.
Unfortunately, the threats listed above are only some of the issues that online retailers need to know about, and protect themselves from. You can read more about them in our State of the Bot Protection Report.
Protecting Your Platform (and Your Customers Too)
As COVID-19 rampages across the world and Internet usage has skyrocketed, so have cyberattacks. In fact, COVID-19 related cyberattacks have risen from a few thousand to more than 200,000 per week! According to a report by eConsumer.gov, consumers have lost more than $3.2 million to COVID-19 scams.
Clearly, robust security is necessary for your online presence—not only for your sake, but also for your customers. Here are some important aspects of keeping your web apps secure.
Preventing fraudulent activity can, among other things, ensure all transactions made on your site are legitimate. This is an important part of minimizing refunds and chargebacks, not to mention bad reviews, consumer complaints, and other strikes against your reputation.
As a website owner, you know that special sales and deals can give you an advantage over your competition. Your competitors know this too, and they are very interested in what you are doing. This is why it’s important to prevent data scraping, which can help keep customers on your site rather than going to your competitors. Make sure that your secret sale stays a secret!
Let’s say that you usually get around 1,000 visitors per hour on your website, and your servers can handle this load comfortably. But what happens when you get 10,000 visitors an hour? If you aren’t prepared, your site will crash from the increased traffic. But here’s an even worse situation: imagine what would happen if your site stayed up, but your security solution did not, and unfiltered attack traffic was able to penetrate your defenses.
You can avoid this by using a security solution that is fully managed (i.e., you don’t need to do anything—the vendor maintains your security 24/7), and also can scale automatically. This means your security solution will always be up-to-date, will always have enough capacity to handle the current traffic load, and will always be protecting your platform.
We can’t know for sure what this shopping season will look like, but it seems clear that the number of people shopping online will increase dramatically. We can expect the number of cyberattacks to increase too. Fortunately, as long as you prepare correctly, you’ll be able to serve all your customers safely, and reap all the benefits of their upcoming shopping activities.
Reblaze offers you the best protection on the market—the same protection that we supply to eCommerce brands like eBay, PNI Media, PizzaPizza, Reebonz, and more. We can keep your online store safe and available, with our cloud-native web security platform that’s fully compliant with all major regulations including PCI DSS, SOC2 and GDPR.