Online commerce is no longer just an alternative. It is now a worldwide staple.
In 2024, around 20 percent of total global retail sales will be attributed to eCommerce. Therefore, it should not be surprising that cybercriminals are hot on the heels of eCommerce stores, trying to find ways to exploit and ultimately steal money from businesses. One avenue cybercriminals are taking that eCommerce owners need to be aware of is threats targeting customers, taking advantage of their trust in online brands and the digital properties they interact with.
Many eCommerce store owners are still discovering how to manage all the different aspects of their business, such as finding new channels to buy or sell products or the right payment system for online transactions. Maintaining a website can be complex, which creates numerous vulnerabilities and opportunities for bad actors to exploit businesses and their customers via their websites.
Here’s a rundown of four prevalent types of cyber attacks that target eCommerce customers through a store’s website.
One of the biggest threats to eCommerce customers is impersonated websites of online stores. Bad actors create spoofed versions of real brands’ websites to trick their customers into “making a purchase” or simply inputting their personal information, such as credit card numbers.
These schemes are usually multi-pronged. Cybercriminals impersonate websites for various ill-intended purposes, including reputational harm to a business, unethical data collection, and financial theft. Most impersonated websites are aimed at customers, but there are cases when a company commissions cybercriminal groups to attack a competitor while also attacking its customers in the process.
Reputational damage is often an inevitable consequence of impersonated websites. When customers are defrauded by visiting an impersonated website, they immediately blame the brand. Even worse, if customers start to write negative reviews or the media reports about a brand’s site being impersonated, it could cause serious harm to the business, including loss of customer trust and churn.
Negative customer experiences from impersonated eCommerce sites usually take three main forms: inconvenience, data collection, and financial theft. Some impersonated sites are created simply to annoy customers and motivate them to move to a competitor’s site. Others illegally or maliciously collect data, especially sensitive information such as login credentials, through online forms. The worst consequence for customers is financial loss, as they are deceived into placing and paying for orders or moving funds to an online wallet.
Website impersonation is a severe threat in the eCommerce and online retail space. Data gathered by real-time digital risk solution provider Memcyco shows that around half of cybercrimes in the United States stem from brand impersonation. The unpleasant experiences customers go through with impersonated sites tend to be substantial. Losses from the costliest attacks average nearly $5 million. Around 81% of customers say they prefer to stop engaging with a brand online after an attack. Also, it is worth noting that an overwhelming majority of customers believe it is the brand’s responsibility to prevent website impersonation.
Source: Memcyco
To emphasize, impersonating a company’s website or online store may appear trivial, but it is actually a complex attack. In particular, it creates a long window of exposure, starting with the establishment of the impersonated site, detection, sending a takedown request, and the actual takedown (which can take up to months). Before the impersonated site is discovered and finally removed, it has likely damaged customers significantly. It’s also likely that if one impersonated site is found, there will be more.
Source: Memcyco
It doesn’t take long for bad actors to lead unsuspecting customers to an impersonated website. They can send the link to the impersonating site through deceptive emails or text messages. Once the customer is on the site, they will interact with it more often than not.
The ideal solution to website impersonation involves real-time alerts for businesses and customers. Businesses need to know in real time that an impersonated site has popped up and, more importantly, if a customer has been attacked. At the same time, businesses should provide solutions that alert customers in real time if they visit an impersonated website. This will ensure their safety if they choose to stop interacting with it.
If website impersonation is about deceiving customers into using a spoofed website, Man-in-the-Middle (MiTM) is an attack in which cybercriminals intercept the exchange of information between customers and a website. In other words, MiTM steals supposedly exclusive information between a customer and a business. Also, MiTM makes it possible to tamper with transactions.
MiTM can be used to steal credit card details such as card numbers, expiration dates, and the Card Verification Value (CVV). In the checkout process, for example, data exchanged between the customer and the business can be copied as it moves to and from the server and the customer’s device. The same happens with login credentials. Attackers can hijack accounts to engage in fraudulent purchases.
Additionally, MiTM enables threat actors to tamper with transactions. For example, the details of an order can be modified so that the purchased item is sent to the attacker’s address instead of the buyer’s location. Payments can also be redirected. The attacker can modify the seller’s bank account or online wallet details to send the payment to the attacker’s account.
These MiTM attack scenarios were observed in German POS systems back in 2015. Security researchers discovered that the ZVT and Poseidon communication protocols employed by card readers had flaws that could enable MiTM attacks through a retailer’s network. The vulnerabilities made it possible to transfer funds to accounts specified by attackers or process false transactions.
To prevent MiTM attacks, enforce encryption protocols such as TLS for data exchanged between clients and servers. It is also crucial to use digital certificates issued by reputable certificate authorities to verify servers and ensure their security. Additionally, it is essential to implement certificate pinning, HTTPS for all web traffic, and robust user authentication mechanisms.
Payment pages on eCommerce sites can also be the target of attacks. It is possible to inject skimming scripts into these payment pages. This is the digital and online equivalent of the conventional credit or bank card skimming in ATMs, wherein a device is attached to the ATM’s card reader and keys to scan the card and record the PIN.
Instead of dealing with physical devices, eCommerce credit card skimming involves malicious script injection. The script is introduced to the website by exploiting vulnerabilities in a website’s code, third-party plugins, or content management system (CMS).
There are two primary types of malicious scripts injected.
The first is for form skimming, which is like a virtual version of a card reader. This script is responsible for obtaining details such as the credit card number, expiration date, and CVV code. The script usually transmits the scanned data instantly to a server specified by the attacker.
The second type of script is called an iFrame skimmer. This is the digital equivalent of the device that records the details inputted to an ATM by a user. It overlays a user interface on top of the original UI of a website to capture the details typed in by a user. These details include the PIN, billing address, transaction passwords, and multi-factor authentication codes.
Online payment system skimming is mainly a data collection attack. Still, it eventually leads to financial theft once the attacker uses the stolen data or sells it to cyber criminals on the dark web. There are major studies on the trends and total losses attributed to online payment card skimming (separate from the usual credit or bank card skimming). However, the total number of skimming cases has been rising. Also, new variations of the attack have emerged, including authorized push payment fraud (APP fraud) and first-party fraud.
An analysis by VISA’s Payment Fraud Disruption and eCommerce Threat Disruption division shows that online payment system skimming perpetrators make use of the same infrastructure for all of their skimming attacks, and they have notably been targeting payment systems that host their code in more than one content delivery network (CDN). More than 17,000 domains have already been compromised by skimming attacks.
Addressing the threat of online payment system skimming requires a holistic approach. It starts with implementing secure coding practices to minimize the vulnerabilities that threat actors can exploit. Systems should be regularly updated, from the software plugins to the CMS. Additionally, conducting regular security audits and continuously scanning for malicious activities is crucial to detect and address security issues before they worsen.
Ecommerce websites are common targets for cross-site scripting (XSS) attacks. These attacks inject malicious code into a website that runs on the web browser. They are designed to compromise user data, hijack a session, or deface a website.
XSS starts by looking for vulnerabilities in search bars, user profiles, product reviews, and other website elements that accept external inputs. Once a vulnerability is discovered, the attacker proceeds to inject the malicious code, which is usually written in JavaScript and disguised as harmless HTML code or a block of text. Once a user interacts with the infected website element, such as the product search bar, the malicious script is executed within the browser.
Source: Wikimedia Commons
The execution of the malicious script enables different outcomes. It can be a case of data theft, wherein the details inputted into a form on a website are transmitted to a server set by the perpetrator. It can also be an instance of session hijacking, which allows the attacker to impersonate the customer and access their account. However, the attack may also be an attempt to deface a website. The execution of the malicious code may cause the browser to display the affected website erratically or put out misleading content.
To prevent successful cross-site scripting, input validation and output encoding must be undertaken to ensure that malicious scripts are not executed. It is also advisable to maintain a strict Content Security Policy (CSP) and conduct regular security audits to find and patch security problems before threat actors exploit them.
Cybercriminals can turn websites into tools to attack customers and businesses. That’s why, as an eCommerce store owner, you must ensure adequate website protection, especially against the threats of website impersonation, MiTM, payment system skimming, and cross-site scripting.
Businesses are expected to ensure their website’s security not only to protect themselves from cyber attacks but also to ensure customer satisfaction and good experiences that help build brand loyalty. After all, exposing customers to scams, data theft, and financial losses is never a good way to start a business relationship.
