Layers of Defense: The Attack Vectors of the eCommerce World
What are Attack Vectors?
Attack vectors are a method for bad actors to exploit holes in an organization’s network or its users’ browser. The end goal of the attacker is to follow through with a malicious plan to overtake, steal, or harm. Attackers are constantly looking at possible holes in systems and sites, a large one being 3rd party services that live unmonitored on many eCommerce sites.
These attacks have become more sophisticated over the past couple of decades, making them increasingly difficult to mitigate. Bad actors are constantly scanning for vulnerabilities. An example would be human error.
What kinds of attack vectors exist in the eCommerce world?
Here is a comprehensive list of attack vectors that exist in the eCommerce world:
- Content Tampering: Altering the data sent between a client and a server.
- Customer Journey Hijacking: Stealing visitor sessions by injecting unauthorized ads.
- Clickjacking: Tricking a user into clicking on something different from what the user perceives, potentially revealing confidential information.
- Cookie Stealing: Allows an attacker to steal sensitive information like login details, session tokens, credit card details, etc. from Cookies that can be further used for various kinds of attacks like identity theft, account takeovers, and targeted phishing attacks.
- DDoS: A hostile attempt to disrupt the normal traffic of an earmarked server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of internet traffic.
- Bot Attacks: The use of automated web requests to manipulate, defraud, or disrupt a website, application, API, or end-users.
- Client-side Malware: Client-side attacks occur when a user downloads malicious content.
- Magecart: Malicious hacker groups who target online shopping cart systems to steal customer payment card information.
- Cross-Site Scripting (XSS): A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
- Tag Piggybacking: Tag piggybacking is when one marketing tag triggers another. This can lead to dozens, or even hundreds, of additional tags being launched without the website owner’s knowledge, causing data security and privacy issues, as well as impacting website performance.
- Session Redirects: Finding the session ID (SID) of an active user to impersonate or hijack.
- Sensitive/PII Data Theft: The theft of personally identifiable information (PII). PII is any data that could be used to identify a particular person. Examples include a full name, Social Security number, driver’s license number, bank account number, passport number, and email address.
- Third/First Party Compromise: Malware infiltrates your system through an outside partner or provider with access to your systems and data.
- MiTB Attacks: The attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.
- Cryptojacking: Unauthorized use of someone else’s computer to mine cryptocurrency.
- Cookie Stuffing/Affiliate Fraud: An illegitimate technique where a third-party drops multiple affiliate cookies on a user’s browser, in order to claim the commission out of sales from that browser.
The list can go on, as these bad actors find new and creative ways to gain information and cause damage.
What is the impact to businesses if they are attacked?
Businesses can face major lawsuits and settlements, lose out on revenue, and take a big hit to their brand image if their security posture is weak and bad actors are able to attack. For example, Target underwent a major attack via a 3rd party vendor, with nearly 70 million people having their PII stolen. The settlement cost the company millions of dollars, with additional money being spent to tighten security measures. For a giant like Target, this may have been a slap on the wrist, with consumers still wanting to shop at the retailer. But for niche brands, this luxury may not transfer.
How can brands protect against different attack vectors?
The amount and variety of attack vectors can be overwhelming. Maintaining a robust security posture takes layers of defense capabilities. Any security vendor who claims to have a “complete” security product suite is wrong. Typically, one vendor will provide a layer or two of defense against one, or maybe a handful, of attack vectors. The most important thing to do is continue to add and maintain layers of defense. This will provide as complete protection against diverse attack vectors as possible. YOTTAA’s SERVICE CTRL can help you mitigate content tampering, formjacking, and other client-side attacks, but it cannot help you with DDoS or Bots (we have SECURITY CTRL to help you get started with that!).
The most important takeaway from this information is to be aware, informed, and alert of all the attacks that could affect your brand. If you don’t have the resources internally to start adding layers of defense, look outside of your organization to service providers who can help you get started.
Protect your brand. Protect your customers. Protect your bottom line.
Want a snapshot of your current security posture? Get it here.
YOTTAA’s SERVICE CTRL provides retailers with the ability to easily implement and manage content security policies. It allows retailers to have robust governance over all 3rd party and hidden services running on their eCommerce site. Contact us to learn more!