The 5 Top Attacks Made On Ecommerce Sites

One of the more startling statistics with respect to COVID-19 and the lockdowns is the dramatic increase in e-commerce activity:

COVID-19 has massively accelerated the growth of e-commerce, according to an Adobe report released today. Total online spending in May hit $82.5 billion, up 77% year-over-year.

John Koetsier, COVID-19 Accelerated E-Commerce Growth ‘4 To 6 Years’

There’s not an industry that hasn’t been touched… conferences went virtual, schools moved to learning management and online, stores moved to pickup and delivery, restaurants added take-out, and even B2B companies transformed their buying experience to provide prospects with the tools to self-serve their transactions online.

E-commerce Growth and Security Risks

As with any mass adoption, the criminals follow the money… and there’s a lot of money in e-commerce fraud. According to Signal Sciences, cyber crimes will result in more than $12 billion in losses in 2020. As new companies move to e-commerce, it’s essential that they include security in their transition… before it costs them their business.

The Top 5 E-commerce Attacks

1. Account Takeover (ATO) – also known as account takeover fraud, ATO is responsible for about 29.8% of all fraudulent losses. ATO is obtaining user login credentials to take over online accounts. This enables them to acquire credit card data or make unauthorized purchases using the user’s account. ATO fraud may utilize automated scripts that enter credentials en masse or be a human typing them and accessing the account. Orders may be delivered to monitored delivery addresses where the products are taken and used or sold for cash. Username and password pairs are often sold in bulk or traded on Dark Web marketplaces. Because so many people utilize the same login and password, scripts are utilized to test the username and passwords across other sites.
2. Chatbot Imposter – bots are becoming a critical element of e-commerce sites for users to engage with the companies, navigate through intelligent responses, and speak directly to representatives. Because of their popularity, they’re also a target and are responsible for 24.1% of all fraudulent activity. Users can’t discern the difference between a legitimate chatbot or a nefarious one that may be opened on the page. Using adware or web script injections fraudsters may display a fake pop-up chatbot and then extract as much sensitive information from the user as they can.
3. Backdoor Files – Cyber criminals install malware on your e-commerce site through unsecured points of entry, such as outdated plug-ins or input fields. Once they make entry, they have access to all your company’s data, including customers’ personal identifiable information (PII). That data can then be sold or used to gain access to user accounts. 6.4% of all attacks are backdoor file attacks.
4. SQL Injection – online forms, URL querystrings, or even chatbots provide data entry points that may not be hardened and can provide a gateway for hackers to query back-end databases. Those queries can be used to extract personal information from the database where the site information is maintained. 8.2% of all attacks are made with SQL injections.
5. Cross-Site Scripting (XSS) – XSS attacks enable attackers to inject scripts via the user’s browser into web pages viewed by other users. This enables the hackers to bypass access controls and access personal identifiable information (PII).

Here’s a great infographic from Signal Sciences on The Rising Tide of E-commerce Fraud – including the methods, patterns, and defensive measures your company must be aware of and incorporate with any e-commerce strategy.