Skip to Main Content
Attack Vectors of the eCommerce World

Layers of Defense: The Attack Vectors of the eCommerce World

Last week you learned about the many different ways that a potential shopper will leave your eCommerce site. This week’s edition looks at security threats and how you can best get a handle over them in order to fully prepare your eCommerce site for the busy holiday season. It might be the summer now, but it’ll be Black Friday before you know it!

What are Attack Vectors? 

Attack vectors are a method for bad actors to exploit holes in an organization’s network or its users’ browser. The end goal of the attacker is to follow through with a malicious plan to overtake, steal, or harm. Attackers are constantly looking at possible holes in systems and sites, a large one being third party services that live unmonitored on many eCommerce sites. 

These attacks have become more sophisticated over the past couple of decades, making them increasingly difficult to mitigate. Bad actors are constantly scanning for vulnerabilities. 

What kinds of attack vectors exist in the eCommerce world? 

There are a multitude of attack vectors that affect the eCommerce industry. Some of the most famous are Magecart attacks, where attackers gain access to websites via third party services by injecting malicious JavaScript. This malicious code allows attackers to steal customers’ personal identifiable information (PII), such as card numbers, addresses, phone numbers, etc.  

Here is a comprehensive list of attack vectors that exist in the eCommerce world: 

  • Content Tampering: Altering the data sent between a client and a server.
  • Customer Journey Hijacking: Stealing visitor sessions by injecting unauthorized ads. 
  • Clickjacking: Tricking a user into clicking on something different from what the user perceives, potentially revealing confidential information. 
  • Cookie Stealing: Allows an attacker to steal sensitive information like login details, session tokens, credit card details, etc. from Cookies that can be further used for various kinds of attacks like identity theft, account takeovers, and targeted phishing attacks. 
  • DDoS: hostile attempt to disrupt the normal traffic of an earmarked server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic. 
  • Bot Attacks: The use of automated web requests to manipulate, defraud, or disrupt a website, application, API, or end-users. 
  • Client-side Malware: Client-side attacks occur when a user downloads malicious content. 
  • Magecart: Malicious hacker groups who target online shopping cart systems to steal customer payment card information. 
  • Cross-Site Scripting (XSS): A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. 
  • Tag Piggybacking: Tag piggybacking is when one marketing tag triggers another. This can lead to dozens, or even hundreds, of additional tags being launched without the website owner’s knowledge, causing data security and privacy issues, as well as impacting website performance. 
  • Session Redirects: Finding the session ID (SID) of an active user to impersonate or hijack. 
  • Sensitive/PII Data Theft: The theft of personally identifiable information (PII). PII is any data that could  be used to identify a particular person. Examples include a full name, Social Security number, driver’s license number, bank account number, passport number, and email address. 
  • Third/First Party Compromise: Malware infiltrates your system through an outside partner or provider with access to your systems and data. 
  • MiTB Attacks: The attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. 
  • Cryptojacking: Unauthorized use of someone else’s computer to mine cryptocurrency. 
  • Malicious iFrame Injection: An attack that combines malicious JavaScript with an iframe that loads a legitimate page in an effort to steal data from an unsuspecting user. 
  • Cookie Stuffing/Affiliate Fraud: An illegitimate technique where a third-party drops multiple affiliate cookies on a user’s browser, in order to claim the commission out of sales from that browser. 

 The list can go on, as these bad actors find new and creative ways to gain information and cause damage. 

What is the impact to businesses if they are attacked? 

Businesses can face major lawsuits and settlements, lose out on revenue, and take a big hit to their brand image if their security posture is weak and bad actors are able to attack. For example, Target underwent a major attack via a third party vendor, with nearly 70 million people having their PII stolen. The settlement cost the company millions of dollars, with additional money being spent to tighten security measures. For a giant like Target, this may have been a slap on the wrist, with consumers still wanting to shop at the retailer. But for niche brands, this luxury may not transfer.  

How can brands protect against different attack vectors? 

The amount and variety of attack vectors can be overwhelming. Maintaining a robust security posture takes layers of defense capabilities. Any security vendor who claims to have a “complete” security product suite is wrong. Typically, one vendor will provide a layer or two of defense against one, or maybe a handful, of attack vectors. The most important thing to do is continue to add and maintain layers of defense. This will provide as complete protection against diverse attack vectors as possible. 

The most important takeaway is to be aware, informed, and alert of all the attacks that could affect your brand. If you don’t have the resources internally to start adding layers of defense, look outside of your organization to service providers who can help you get started.