Black Friday and Cyber Monday (BFCM) are two of the biggest online shopping days of the year. In 2023, holiday season e-commerce sales revenue in the US alone reached more than $12 billion, with a further increase expected this year. As online shopping has increased in popularity over the last decade or so, the BFCM buzz has spread further afield and is now one of the busiest times for retailers worldwide.
While this increase in sales is good news for businesses, the hype also attracts cybercriminals seeking to take advantage of the increased online activity. Here, we explore why hackers aim to exploit BFCM, how they do so, and how companies can defend themselves from holiday season hacks.
Know your enemy: What’s in it for the hackers?
There are several reasons why cybercriminals target e-commerce sites, especially during the busy end-of-year shopping period.
- Stolen goods: Basic personal gain is often a key motivation. Hackers use their technical skills to exploit vulnerabilities on e-commerce sites or payment platforms to trick retailers out of goods without paying.
- Bragging rights: Hackers are not just motivated by financial rewards. Some also want to boast online about the chaos they have caused, particularly if they can claim to have brought major sites to a standstill on the busiest shopping days of the year.
- Competitor sabotage: Some hacker activity comes from organized groups who want to gain an advantage in the marketplace by causing financial damage to their rivals at a time when it will have maximum impact on their profits and reputation.
- Ransom demands: Amid the hubbub of activity, hackers steal private and sensitive data to blackmail and extricate funds from companies. Companies may consider paying hackers off to prevent them from exposing a data leak.
Common Cybercrime Attack Methods
Cybercriminals are increasingly seeking new ways to target e-commerce websites. Here are just some techniques to be aware of.
- Automated scanners: Cybercriminals use these tools to scan thousands of sites, searching for vulnerabilities they can exploit. Since the scanning procedure does not have to be monitored manually, the criminals can cause maximum damage in a short space of time.
- Phishing attacks: Hackers also target customers directly. Using emails, popups, and fake messages, criminals trick people into sharing account credentials and credit card information. The criminals then use these details to make purchases. The company may then suffer losses when it has to refund these fraudulent transactions.
- Malware: Malware, or “malicious software,” can be injected directly into unprotected e-commerce sites without the owner’s knowledge. This malware enables criminals to steal money, credentials, and other user data, undetected.
- DDoS attacks: Unscrupulous criminals use hacking tools and bots to send vast amounts of traffic to a website. This surge in traffic blocks legitimate customers from accessing the site and forces them to purchase from competitors, leading to lost sales for targeted companies.
- Gift card cracking: Attackers take advantage of peak gift-giving season by running millions of number variations through gift card forms. This allows them to identify gift card numbers with positive balances and sell them before the legitimate cardholder has a chance to use them.
- Account takeovers: Fraudsters can hijack customer account credentials using automated bots to execute other malicious activities, such as assuming control of the account, committing data theft, and making unauthorized purchases.
- Inventory hoarding: Hostile bots manipulate retail sites’ inventory by starting a purchase transaction and not completing it. Since many online shops update their stock availability in real time and mark items in the transaction process as out of stock, genuine customers can’t buy items that are actually for sale because they appear to be unavailable.
- Scalping attacks: Cybercriminals use automated scalping bots to buy sought-after, high-demand products, such as concert tickets, designer clothing, or popular toys. The purchases are then resold for inflated prices on third-party sites or the black market, leaving both companies and customers out of pocket.
How companies can protect themselves
Despite the fact that scammers are becoming increasingly innovative, the good news is that almost 99% of attacks can be prevented with basic security precautions. To start, companies should make sure their e-commerce system and plugins are always up-to-date and that they don’t use untrusted open-source software. Virtual patching, which addresses vulnerabilities by acting as a virtual shield and filtering malicious traffic, can address this challenge.
It’s also wise not to store sensitive customer data on your company systems beyond what’s absolutely necessary. Storing credit card numbers and sensitive customer information is strictly regulated and requires organizations to comply with standards such as PCI DSS or ISO 2700x. Even compliant businesses should only store what is mandatory for maintaining their e-commerce site to minimize risk in case of a cyberattack.
Protecting your website isn’t a one-time task. It’s important to regularly scan for vulnerabilities in a website’s code and application layer. Vulnerability scanners focus on identifying and listing weaknesses on your site, serving as a first step toward risk mitigation.
Tools that can help protect websites against malicious traffic on an ongoing basis include WAAP and DDoS protection. These work in the background to protect your infrastructure against common assaults before they happen, so you don’t have to mitigate the aftermath. By outsourcing them to a reliable third-party provider, you can sit back and relax knowing that your security solution is working to stop even the most complex and new threats.
How Gcore can help keep your website safe
There’s still time to implement security measures for your website before the holiday shopping season kicks in. Gcore’s proven edge security solutions, WAAP and DDoS Protection, can help protect your website and e-commerce framework.
If you’d like to discuss your holiday security concerns with us, get in touch. One of our experts can help you decide what’s right for your business so you can focus on serving your customers instead of fending off fraudsters.
