How Black Friday and Cyber Monday Can Go From a Retailer’s Dream Into a CiSO’s Worst Nightmare

Holiday shopping season: from a retailer's dream into a CiSO’s Nightmar
Share article
twitter linkedin medium facebook

The shopping season which begins on Black Friday rolling over to Cyber Monday, is actually one of the most critical times for online retailers. During this period promotions are offered, new products are launched, and the shopping websites themselves invest all their resources to increase the volume of purchases. Unfortunately, as they say, along with the opportunities, come the risks. 

In this article, we will outline the cyber-security risks that online retailers are facing, where they come from and what you should do to prevent them.

Your Buyers’ Information Can Be Costly

Online shopping appetite reaches its peak on Black Friday and Cyber Monday. It appeals not only to online shoppers and retailers, who yearn for new customers, but also for attackers targeting customer’s financial data. These threat actors take advantage of the shopping momentum and perform malicious actions often referred to as Web-skimming, Form-Jacking which are commonly attributed to an attack methodology known as Magecart. The consequences of such attacks can be disastrous, with affected customers losing confidence and their way back to your online store

The damages do not end with the cessation of the attack. Apart from reputation loss, shoppers’ abandonment and financial damages, there are unfortunately more things for an online retailer to worry about. 

With the ever increasing regulation demands and privacy laws, like the GDPR and CCPA, threats have now become more severe and – expensive. Compliance requirements are binding allonline entities, including retail websites. The case of the Fashion ID shopping website is an example of how legal liability can affect your business.

But it can get a lot worse, and include huge fines that can seriously hurt a company’s bottom-line . The most significant event in this area, is without a doubt the British Airways case. In 2018, when tourism still existed, the company sold tickets through its website. A hack into one of the installed components on the website allowed Magecart group attackers to steal information from approximately half a million users. The damage is estimated at around $1 billion with an extra $230 million fine on top. British Airways may have survived, but the damage is undoubtedly enormous.


Meet the Key Players

Now, after a short overview, it’s time to put things in place and figure out who we are up against . We will refer to two basic terms that all people involved in eCommerce must be familiar with.

Third parties (and fourth parties) – external components, usually in the form of JavaScript or iFrame that are installed and run on your website. You can refer to it as outsourced technological tools that generate website activity, monitor it and allow it to streamline processes to make money. Think of all the advertising tools you use to attract customers, your analytics tools, YouTube’s video player and the anti-bot that comes with it. These are all third and fourth parties.

Does it put your website at risk? Third (and fourth) parties are installed on your website, but they are controlled by external vendors. It may be your advertising provider or the open source tools your developers use. Most of your third-parties are controlled remotely, and can do everything(!) on your website. When your vendor is breached, you immediately become exposed to supply chain attacks and data theft. Such attacks have hit tens-thousands of e-commerce websites over the past year. Click to learn more about third-party risks.

You will probably be surprised to find out how many third and fourth parties are installed on your website and how they have access to your most sensitive information.

Magecart / Web-Skimming – Magecart is actually a very common attack methodology in the e-commerce sector. This method exploits installed third parties on websites to steal financial information on the checkout pages. This term is also known as Web-Skimming. Magecart methodology is attributed to between 7 and 12 attack groups, who are behind the theft of millions of online shoppers’ credit card information being stolen.

Growth Hacking, In a Bad Way

The significant increase of threats to online retailers is reflected not only in the amount of attacks, but also in the level of sophistication. Along with the search for vulnerabilities on websites, hackers are also looking for new ways to steal sensitive information. Those of you who are involved in website security and are familiar with the third-party codes that run behind the scenes and with “the next generation of third-party risks” that come with it, bringing high levels of sophistication, like never before. 

Unfortunately, there are too many examples for it. The case of Pipka, is one where the attackers used sophisticated hacking techniques to hide their traces. The Gocgle’s malicious campaign that hit hundreds of shopping websites demonstrates how hackers used Google’s legitimate tool for impersonation, in order to compromise the code and steal valuable information.


Is Your Shopping Website Really Protected?

Data breaches, phishing, server-side risks, belong to the more familiar threat categories. These areas are well-taken care of with many excellent solutions.. However,when it comes to third-party application security, these tools are just not enough, leaving you exposed. So where does the problem begin and where is your most significant weakness hiding?

Awareness, awareness, awareness (and knowledge)

The mix of high levels of sophistication and lack of awareness can be devastating. This is one of the major weaknesses for almost any online retailer. Security team members and CiSOs are probably already aware of this, but when it comes to other stakeholders, it may be a different story. 

Whether you are a C level executive, digital marketing expert, or head of technology, this is exactly the moment you should ask yourself “Does Magecart ring a bell?” “Am I familiar with Web-skimming?” “Do I know why a third-party code is risky?”

 Most of your vendors are on the client-side

When we look at the trends that have taken place recently, and especially since the outbreak of the Covid-19 pandemic, it seems that during the last six months shopping websites have been more threatened than ever before. As you probably understand, one of the points at the heart of the current risk map is the wide range of third-party risks and threats coming from the client-side.

So let’s talk for a moment about the client-side, the “production” and all the third-party apps that are installed and running on your website. This is where you will find running components like analytics, advertising and engagement tools and more. They are all making your website better and friendlier. But this is also where the main risks that hover over almost any shopping website are located. Knowledge from a technical or marketing point of view is simply not enough.

Looks familiar? Third-party apps and tags
Top digital applications

The Special Nature of Third-Party Apps

This entire area of third-party risks on websites is not new. But as the reliance of e-commerce on external components, i.e. third parties, has increased, so too have the threats. Aside from the “awareness threat”, we have already mentioned that because of the special security nature of third parties on websites, common security practices provide only partial protection, if any. 

If you use security tools like WAF, IPS, TPRM solutions and even PT, you should check how well your website is protected and whether your online shoppers are safe. Probably not.

The first stage to handle this situation would be creating an awareness of the evolving risk landscape of third-party apps on websites, and trying to figure which security solution suits you best. 


Few Important E-commerce Security Tips? 

Running a shopping website requires a high level of responsibility, in particular when you collect payments. For many online retailers this sometimes conflicts with their marketing efforts and business goals, especially when third-party apps are involved. 

Though third-party apps are a must, it is recommended you use only credible vendors. In this final section we’ll provide you with some important guidelines to help you handle third-party application risks effectively. 

Check your vendors – Without third-party application security perimeters in-hand, you should follow this rule of thumb: each time your digital team, or developers, are adding new JavaScript component, follow these steps: (1) Always try to host the code internally on your own servers and verify by code review, or external code that this tool isn’t loading 4th-parties scripts (2) Run application security tests with tools like Acountix or Qualys (3) Search information about the vendor. We recommend using search-engines and sources like GitHub for it, see if they have known security issues and CVE.

What actions should I take before installing a third-party component? Once you are done checking your vendors, you should go through additional steps. Conduct a due-diligence process with the vendor. Check its sources and if possible – its security score. It is recommended to use reliable security scoring solutions like Security Scorecard, BitSight rating or CyberGRXIf you are using an external development company, make sure these processes are managed and documented.

Where’s the catch? The one thing you should be aware with these security processes is the ongoing process itself. Once you install a third-party, it has a life of its own. Especially as it is being controlled remotely, while running on your website.

Unfortunately, this is a more complicated stage, as it requires dedicated solutions that can provide control for apps while they are actually running. There are few solutions available, and for all it takes – some require installation, others come with a set of rules that need to be defined and few allow dynamic analysis that is conducted remotely. It is important to remember that some tools provide only what they refer to as “Magecart protection”, while this is essential it may not be sufficient to cover the entire third-party risk landscape. We can only say here, that Reflectiz is one of the companies that offer these solution types. This brings us to the last tip.

How to reduce the risk while installing a script? Even if you are using an external script, store it locally. This doesn’t eliminate the risk, but it can definitely reduce the threat.

 This isn’t really the last tip. We’ll have more for you. Follow our LinkedIn page and Twitter account and stay tuned to the latest security updates. Join our security professionals community and subscribe to our Newsletter and special announcements.

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free