All about hacking attacks in e-commerce

The e-commerce industry is the most prone to hacking attacks because of many factors: low level of security measures in companies, large amounts of data that can be stolen and direct connections of e-commerce sites with payment services. Let’s analyze the worst threats and talk about how to avoid them!

Hacker attacks are common in e-commerce. How can you protect yourself? We spend a lot of time discussing the risks related to the governmental invigilation, privacy breaches, and fintech problems, yet somehow forget the very common issue of e-commerce industry security. Actually, the same problems affect all services that take part in any kind of money flow. What can a typical e-commerce service owner do to avoid the risk?

This article is going to focus on describing the most common types of dangers that affect e-commerce businesses. In order to learn how to secure yourself, read our interview with Sebastian Gilon, TestArmy’s Head of Security.

Online thieves (later related to as hackers) rarely work solely for fun. They rather focus on building complex enterprises and in every enterprise time is the most important value. Thus, the try to optimize their operations. It leads to looking for victims, who have high value and are not protected well enough. Hackers look for targets that will allow them to make big money as fast as possible and with the least possible effort. This is why the best target for them are e-commerce services.

Internet shops create and keep their customer base mostly thanks to their reputation, so it may also be an obvious reason for an attack. By taking over a company’s infrastructure, a hacker can blackmail its owners by threatening to disclose the information about the break-in. It would obviously lead to losing the customers’ trust and compromising the enterprise’s reputation. Such attacks happen in all kinds of industries, not only in e-commerce. In 2017 Uber tried to bribe hackers in order to stop them from publishing the information about their “success”. After all, the information was disclosed and Uber had to pay high fines. Many of Uber’s board members were forced to leave the company.

This risk does not only concern large companies – they can usually afford to survive the difficult period just after the attack and data leak. The emerging businesses, on the other hand, those without a strong and global brand, can be literally ruined by a sabotage. We had a chance to observe attacks on companies of all sizes, both huge corporations, such as Acer, Sony and eBay and small ones that went bankrupt, because couldn’t survive the loses generated by just one single attack.

What is it that hackers keep searching for in the e-commerce industry?

It all comes down to the attackers’ creativity and who gains access to the systems. Quite often automated hacking bots, which

do not care about a particular company’s profile, and just encrypt HDDs right away in order to execute ransomware attacks.

Precise and carefully planned attacks that are aimed at particular targets also happen, their goal, however, is to extract data or steal tangible resources.

  • Data that can be stolen and used for further attacks

E-commerce businesses usually own huge databases full of information about all of their customers. They not only possess our personal details, but also credit cards data, shopping history and other metadata, such as information regarding operating systems and browsers that their customers use. Such information is priceless for hackers because they make targeted attacks much easier. Knowing what type of software a victim uses it is much easier to prepare successful attacks and exploits.

  • Payment redirection

Being able to modify an operating application’s source code, hackers can redirect the users to maleficent services and make a percent of transferred money go to the thieves’ accounts. Sometimes hackers perform small code injections that are meant to substitute the original payment forms and the whole process goes without any violations, but this code sends the credit card/bank details to the hackers. Then, they can use it on their own or sell it to other thieves (so-called carders) who specialize in credit card frauds.

  • Attacks on infrastructure and access monetization

By accessing the computer infrastructure of a company, it is easy to deal serious damage both to the company and its customers. People tend to forget that security is not only a matter of data leaks but also everything related to system’s accessibility (so-called CIA Triad). Attackers who manage to immobilize the infrastructure and make it unable of taking orders can expose it to losses potentially more devastating, than the attack itself.


Dawid Bałut

Pentester and Bug Hunter with extensive experience who joined the security world more than half a decade ago. Since then he has worked as a Security Architect for corporations from Silicon Valley. Every day, he builds security systems, trains employees and automates all security processes.

 


More on what hackers want to do to your business and what to do to protect your business soon. Meanwhile, you can learn the most important lessons from Dawid’s podcast, available on TestArmy YouTube Channel.

Comments are closed.