The 5 Top Attacks Made On E-commerce Sites

One of the more startling statistics concerning COVID-19 and the lockdowns is the dramatic increase in e-commerce activity:
COVID-19 has massively accelerated the growth of e-commerce, according to an Adobe report released today. Total online spending in May hit $82.5 billion, up 77% year-over-year.
John Koetsier, COVID-19 Accelerated E-Commerce Growth ‘4 To 6 Years’
There’s not an industry that hasn’t been touched… conferences went virtual, schools moved to learn management and online, stores moved to pick up and delivery, restaurants added take-out, and even B2B companies transformed their buying experience to provide prospects with the tools to self-serve their transactions online.
E-commerce Growth and Security Risks
As with any mass adoption, the criminals follow the money… and there’s a lot of money in e-commerce fraud. According to Signal Sciences, cyber crimes will result in more than $12 billion in losses in 2020. As new companies move to e-commerce, it’s essential that they include security in their transition… before it costs them their business.
The Top 5 E-commerce Attacks
- Account Takeover (ATO): Also known as account takeover fraud, ATO is responsible for about 29.8% of all fraudulent losses. ATO is obtaining user login credentials to take over online accounts. This enables them to acquire credit card data or make unauthorized purchases using the user’s account. ATO fraud may utilize automated scripts that enter credentials en masse or be a human typing and accessing the account. Orders may be delivered to monitored delivery addresses where the products are taken, used, or sold for cash. Username and password pairs are often sold in bulk or traded on Dark Web marketplaces. Because so many people use the same login and password, scripts are used to test the username and passwords across other sites.
- Chatbot Imposter: Bots are becoming a critical element of e-commerce sites, allowing users to engage with the companies, navigate through intelligent responses, and speak directly to representatives. Because of their popularity, they’re also a target and are responsible for 24.1% of all fraudulent activity. Users can’t discern the difference between a legitimate or nefarious chatbot that may be opened on the page. Using adware or web script injections, fraudsters may display a fake pop-up chatbot and then extract as much sensitive information from the user as possible.
- Backdoor Files: Cyber criminals install malware on your e-commerce site through unsecured entry points, such as outdated plug-ins or input fields. Once they make an entry, they have access to all your company’s data, including customers’ personally identifiable information (PII). That data can then be sold or used to access user accounts. 6.4% of all attacks are backdoor file attacks.
- SQL Injection: Online forms, URL query strings, or even chatbots provide data entry points that may not be hardened and can provide a gateway for hackers to query back-end databases. Those queries can extract personal information from the database where the site information is maintained. 8.2% of all attacks are made with SQL injections.
- Cross-Site Scripting (XSS) – XSS attacks enable attackers to inject scripts via the user’s browser into web pages viewed by other users. This enables the hackers to bypass access controls and access PII.
Here’s a great infographic that includes the methods, patterns, and defensive measures your company must be aware of and incorporate into any e-commerce strategy.
