In 2021, the e-Commerce industry at large is still facing an unprecedented volume of cyberattacks. Recent hardening of application security measures has helped retail websites push back most botnet attacks, but the root of the problem remains a lack of basic cybersecurity knowledge.
Despite warnings and recommendations from industry think-tanks like the National Cyber Security Alliance, malicious actors continue to exploit zero-day threats in web APIs and popular eCommerce platforms.
In this threat environment, what is the best course of action for online retail sales moving forward? Indeed, businesses are investing in cybersecurity, yet hackers keep winning time after time.
Why? What are we not seeing in eCommerce-focused cyberattacks that may help us defend against future threats?
Let's look at recent cybersecurity incidents to get a better idea of the threat landscape this year.
Magento 1.x exploits – Web skimming on the rise
Magecart – the infamous cybersecurity gang in operation since 2016 – continues to make international headlines with its re-imagining of e-commerce attack vectors. Although assigning attribution to a single group of criminals is missing the point.
Thanks to the notoriety that Magecart-coded exploits have received over the years, online web skimming attacks rose 26 percent in 2020 as the COVID-19 pandemic took hold.
It was – and still is – the perfect environment for fraudsters to ply their trade.
COVID-19 forced millions of consumers worldwide to go online to purchase essentials like food and clothing for the first time, which only opens a wide door for hackers eager to take advantage of unwitting shoppers.
But how are hackers doing it exactly?
One attack vector that cybercriminals are using more frequently is when they compromise credit card payments and checkout cart pages.
The bottom line is this: it appears that web skimming malware is preying upon eCommerce sites that are derelict in transitioning away from Magento 1.x to more secure platforms.
Tupperware.com hack
According to Malwarebytes' State of malware Report 2021, the most notable web skimming hack exploited the payment checkout page for the e-commerce heavyweight Tupperware.com. Researchers remarked at how carefully hidden the code was and how much effort the cybercriminals took to remain undetected for some time.
The hackers were able to successfully obfuscate a rogue iframe to compromise payment processing, a relatively simple but effective method. The cybercriminals essentially hid the malicious code in a PNG file image for a FAQ icon; clicking on the icon then triggered the fake payment form to load.
Oddly, the hackers' biggest mistake was to only create the dummy pages in English and not make versions in different languages to propagate the scam worldwide.
Vulnerability exploited
The overarching problem, researchers at Malwarebytes believe, is stemming from the end of the life cycle for Magento 1.x: the classic open-source eCommerce platform initially introduced in 2008.
As developers have phased out the software, unpatched systems unfortunately still abound on the web, giving hackers plenty of opportunities to fine-tune Magento scripts.
At the time of this writing, there is no publicly available data on precisely how much damage the Tupperware hack caused. But at a minimum, hundreds of thousands of credit card numbers may have been compromised in a matter of days.
X-Cart eCommerce hosting breach – Ransomware via supply chain suspected
There's a particular risk among eCommerce hosting platforms nowadays. Rather than attack a single domain, malicious actors seem to be targeting the software supply chain to inject code as needed and exfiltrate data, whether it be credit card credentials or personally identifiable information.
Through a variety of avenues, the general idea is to hide malicious code inside of legitimate updates. Hacking one update could theoretically compromise thousands of companies running that particular SaaS platform – X-cart in this newest incident.
It's a little-known fact that eCommerce sites are equally as vulnerable to ransomware attacks.
Not every attack that targets online retail is attempting to steal account credentials and credit card numbers. Sometimes, the hackers' intentions are far more malicious than strictly financial.
Vulnerability exploited
The X-Cart ransomware attack is a prime example of a new angle that researchers see more and more: attacks via the software supply chain in the cloud.
The only detail that X-cart revealed was that the hack originated in "3rd-party software," a relatively broad and vague explanation. What the hackers did was compromise shared-hosting servers with ransomware that brought down customers' online stores.
What's chilling about this specific incident is that the hackers didn't actually ask for a ransom to unencrypt customer stores.
The intent appears to be cyber vandalism – and mindless mayhem – but there's no way to ensure that the hackers didn't infiltrate other systems at X-cart.
Another point is that the X-cart hack exposes the issue of a "code of silence" when cyber attackers are successful, and reports of their success make international headlines.
What's sorely missing is the chance to use cybersecurity incidents as cautionary tales about why it's so critical to go beyond common mitigation strategies.
Common mitigation strategies falling short of the goal
Considering that an eCommerce giant like Tupperware and an up-and-coming company like X-Cart were hacked so quickly, what's the next step? How can eCommerce companies protect themselves from novel malware attacks moving forward?
The answer is to deploy a next-gen web application firewall (NGWAF) tool for a secure development environment.
Today's attack vectors seem to be originating in the software supply chain, which makes implementing traditional counter-measures more challenging.
The benefit of increased application security is that it makes exploiting systems more tedious and requires that hackers refine techniques to counteract more robust defenses.
The good news is that the latest NGWAF tools on the market go beyond the primary threats identified by the non-profit Open Web Application Security Project (OWASP). In fact, some of the best available NGWAF can be deployed in far less time, a matter of minutes, with the right tool.
In the end, eCommerce companies benefit by adding another layer of security that can mitigate novel hacking techniques like those seen in recent times.
Comments