Black Friday alert! 10 keys to cyber-attacks against e-commerce and their customers

Malicious actors are taking advantage of Black Friday to launch cyber-attacks against e-commerce companies and carry out fraud against them and their customers

The time when the summer and winter sales significantly impacted the future of retail companies is long gone. The emergence and consolidation of Black Friday and Cyber Monday on a global scale is a reality that is confirmed year after year. In fact, Black Friday is no longer limited to the Friday after Thanksgiving, as was originally the case in its country of origin, the United States, but is now extended throughout the month of November.

Although physical shops have joined in the Black Friday sales, the most significant volume of business is done in online shops. Hence, cyber-attacks against e-commerce can severely affect companies during these weeks.

Especially if we consider that cybercriminals smell the opportunity to make money and try to take advantage of the significant increase in sales in e-commerce in the heat of the sales, it is estimated that Spaniards will spend an average of almost 300 euros per person this year.

Here are some of the keys to cyber-attacks against e-commerce that companies need to consider when designing their security strategy to prevent malicious actors from damaging the results of their Black Friday campaigns.

1. Direct economic frauds against e-commerce: Chargeback and bulk buying with bots

Although most cyber-attacks against e-commerce are aimed at committing financial fraud against consumers, in some cases, these frauds are directly targeting online shops:

• Chargeback. This is not a cyber-attack but a process that negatively affects a retailer. What does it involve? In e-commerce, purchases are made with fraudulent cards. So when the owner of the illegitimately used card detects the charge on his bank account, he proceeds to claim it back. As a result, the online shop has to refund the money charged for the product sold. If, in addition, the product has already been shipped or delivered, the company not only loses the sale but also the product sold.
• Mass purchases with bots. Cybercriminals take advantage of Black Friday and Cyber Monday discounts to make mass purchases of e-commerce products. How are these purchases handled? Using botnets. In this way, they manage to deplete the stock of the most attractive products in online shops in a short time and can then resell them at a higher price than they cost through the Dark Web, but also through other channels such as forums or Telegram groups, as is the case with audio-visual fraud.

2. Spear phishing to obtain customer lists for further attacks

In all digital frauds, technology and the human factor come into play. The weakest link in a company’s security strategy is usually people.

And cybercriminals know this better than anyone.

That is why one of the most popular models of cyber-attacks against e-commerce has as its central element the use of phishing to deceive business professionals with online shops.

This criminal model is similar to the one we have already described when dealing with tourism fraud. Cybercriminals target employees of the businesses they wish to attack and who may have access to customer and sales lists because of their role within their organizations.

Which professionals are we talking about? For example, the people in charge of processing orders are placed through an e-commerce site so that the goods consumers purchase reach their homes.

Once criminals know who they want to target, they launch spear-phishing campaigns to trick people into clicking on a malicious URL or downloading a malware-infected file. In this way, professionals unwittingly execute malware, most commonly an infostealer. Why?

This type of malware allows criminals to steal the credentials or session data that employees have stored on their computers, for example, in the browser or by logging the keystrokes of those employees. What certifications are we talking about? Without going any further, the username and password to access the e-commerce platform from which all sales and order data and customer data can be viewed. Critical information for committing fraud against them.

3. Social engineering to deceive consumers

Social engineering techniques are not only helpful in infiltrating business systems but are also used incessantly to trick customers of retail companies into defrauding them. What cyber-attacks against e-commerce and their customers can be launched throughout the year, especially during Black Friday?

• Phishing to obtain access credentials to customer accounts in online shops. This fraud aims to get a user to provide their passwords to enter a particular e-commerce and, from their private area, to steal a gift card or any type of virtual balance provided by the business for Black Friday.
• Social engineering campaigns take advantage of information obtained about a business’s customers to report a problem with a payment or offer an extra discount if payment is made immediately. Criminals have to impersonate the company and create fake payment pages and payment gateways for customers to enter their bank details to commit financial fraud. The sense of immediacy plays a crucial role in this fraud.
• Phishing and mass smishing impersonate banks or transport companies and alert people to problems with supposed payments or shipments, incorporating URLs to fraudulent websites or links infected with malware. No specific information obtained during a previous attack against a particular company is used in this case. Still, the assumption is that most of the population makes online purchases during Black Friday.

4. Fake online shops to impersonate actual companies

In their daily work against fraud and piracy, cyber-intelligence professionals detect fake e-commerce sites that pretend to be legitimate shops of retail companies known to consumers. What is the aim? To make people believe that they are natural e-commerce and make fake purchases, providing their bank details to criminals and purchasing products or services they will never receive.

This type of cyber-attack against e-commerce and its customers is highly sophisticated because online shops must maintain a visual appearance almost identical to that of legitimate e-commerce. This is why the victims of this fraud are mainly large companies with a large number of customers and, therefore, potential victims.

How do malicious actors get consumers to land on these fake online shops? There are several strategies:

• Deploying social engineering campaigns to lure people to fake websites by luring them with exclusive discounts in the heat of Black Friday.
• Placing fraudulent e-commerce at the top of web search engines. In such a way, the illegitimate page appears when searching for a specific shop. Or also paying advertisements on search engines to get the page seen by potential victims.
• Development of fake mobile applications that appear to be real so that consumers download and use them without detecting deception. This cyber-attack against e-commerce and its customers is becoming increasingly relevant in the face of the rise of mobile shopping.
• Typosquatting. Criminals create fraudulent e-commerce sites with addresses almost identical to those of real online shops and take advantage of the fact that consumers make a mistake when typing the address in the web browser.

5. Ransomware to hijack sensitive information

What if cybercriminals use phishing to deploy a ransomware attack instead of an infostealer?

This kind of malware is used to steal and encrypt a company’s (or a government’s) data by demanding a ransom in exchange for decrypting the information and threatening to publish confidential business or customer data on the Dark Web or to market it to the attacked company’s competitors.

Just as detection and response mechanisms for cyber-attacks have become more sophisticated over the years, cyber-attacks against e-commerce have become more sophisticated, making them more challenging to detect along the Cyber Kill Chain before the criminals achieve their goal: the hijacking of information.

Ransomware attacks are one of the main threats facing businesses in all sectors, and retail is no exception.

Moreover, expanding the Ransomware-as-a-Service (RaaS) model, whereby cybercriminal groups design, package and market such attacks, has multiplied the number of potential malicious actors. Why?

Ransomware-as-a-Service (RaaS) does not require attackers to have the knowledge, resources and expertise to design ransomware that can infect corporate systems and networks and persist undetected until the targets are met. So, a criminal can subscribe to or join a RaaS via the Dark Web and launch an attack on any e-commerce site to extort money from its owners.

The publication of customer bank details can have catastrophic financial, legal and reputational repercussions for a company.

6. E-skimming: Stealing customers’ credit card data

If phishing campaigns or, more specifically, spear phishing is the entry vector for attacks to access or hijack customer data; they can also be the starting point for another kind of cyber-attack against e-commerce that should be taken into account: e-skimming.

What is e-skimming? Once criminals are inside an e-commerce system, they modify the source code of the online shop so that when customers enter their personal and bank details, these are passed on to the bank through which the payment is made and to the cyber criminals.

This threat mainly affects companies that have integrated payment gateways in their e-commerce. These are usually large companies with greater resources and turnover.

However, criminals can also attack the payment gateways of banks and companies specializing in these services. This is why it is so important for these actors to carry out security audits in advanced banking environments.

7. Denial-of-service attacks: Extortion and paralysis of activity

Denial-of-service (DoS) attacks and their advanced version, distributed denial-of-service (DDoS) attacks using botnets, are among the most common cyber-attacks against e-commerce. The goal of criminals is to overwhelm the resources of the online shops they attack so that their servers cannot handle legitimate customer requests. This results in a service disruption that takes away business continuity. This is a severe issue during Black Friday or Cyber Monday.

As with ransomware attacks, DDoS attacks have grown exponentially in recent years, especially in the heat of two phenomena:

• RDDoS attacks. In exchange for not carrying out a denial-of-service attack or ending a campaign, criminals demand a ransom payment, as in the case of ransomware incidents.
• DDoS-as-a-Service. This cyber-attack against e–commerce has also become packaged, opening the door to thousands of malicious actors who do not have the knowledge and technological resources to develop and implement this attack on their own.

DoS and DDoS attacks are susceptible for e-commerce during the busiest sales days of the year because the loss of revenue associated with being unable to sell their products or services can reach magnitudes that can significantly impact year-end business profits.

8. Money, data and laxer regulation: Why do attackers target the retail sector?

Suppose we have explored some of the tactics, techniques and procedures (TTP) of malicious actors when designing and executing cyberattacks against e-commerce and their customers. In that case, we must now look at the reasons behind the interest of criminals in the retail sector throughout the year, particularly during the days of Black Friday and Cyber Monday.

• Money. As we indicated at the beginning of the article, millions of online purchases are made on Black Friday. This logically translates into substantial economic income for companies that have e-commerce. Malicious actors can cause significant financial gains by accessing a business’ customer lists and setting up digital scams. In addition, companies may be more willing to pay expensive ransoms to stop ransomware or DDoS attacks.
• Data. As the number of consumers buying products through online stores increases, so does the amount of data stored on web platforms and mobile apps, so a successful ransomware attack can be much more lucrative than at other times of the year.
• Regulations. In recent years, several laws have been approved within the EU to increase the cybersecurity requirements that companies have to comply with, such as the DORA regulation (which affects the financial sector) or the NIS2 directive that establishes 15 critical sectors with higher security requirements (transport, energy, health…). Retail is not one of them. Hence, many companies need higher levels of cybersecurity maturity.

9. Cyber-attacks against e-commerce target all kinds of businesses.

The ecosystem of companies dedicated to retail is atomized, unlike some sectors we mentioned earlier, such as the financial sector, where there are fewer companies and, therefore, their size and available resources are more significant.

What does this mean? The cybersecurity posture of companies in the sector is very diverse. Large retail companies have advanced security programs to deal with the ongoing attacks put in place by the many criminal groups. This means that cybersecurity has become central to the business strategy of multinational retail companies.

However, hundreds of thousands of SMEs and even freelancers have e-commerce to market their products and services.

Many small businesses do not have a cybersecurity strategy because they believe that only large companies are targeted by criminals. However, cyberattack data belies this belief. What’s more, the impact of security incidents can be lethal for SMEs. Google’s report on the cybersecurity landscape in Spain claims that 60% of small and medium-sized companies that are victims of successful cyberattacks end up closing within six months.

The absence of mechanisms to detect suspicious events such as irregular web traffic, the lack of awareness to implement good practices to prevent the success of phishing campaigns or measures such as multifactor authentication can facilitate the execution of cyberattacks and lead to severe economic and reputational consequences.

Even more so at such a delicate time as the end of the year, when there is a succession of commercial campaigns for Black Friday and Christmas.

10. Preventing, detecting and responding to cyber-attacks against e-commerce

What can companies do to combat cyber-attacks against e-commerce and the consumers who buy products from them? Call in cyber intelligence and cybersecurity services to understand how malicious actors operate, take a proactive stance to anticipate them and optimize defense mechanisms.

Not all businesses operating in the retail sector can devote the same amount of human and financial resources to improving their cybersecurity posture, nor do they face the same threats or criminal groups with the same expertise and resources.

For large retail companies, it is essential to have advanced cybersecurity services in place to protect their digital assets. Still, they must also turn to cyber intelligence professionals to understand how malicious actors operate and combat online fraud and hacking. Even more so, if possible, before and during Black Friday and Christmas when digital sales experience significant growth.

For their part, SMEs and small e-commerce should prioritize cybersecurity and improve their incident detection and response mechanisms to prevent incidents from jeopardizing business continuity and generating economic losses at such a critical time as the last two months of the year.

10.1. Cybersecurity and cyber intelligence to combat security incidents and frauds

What cybersecurity and cyber intelligence services can significantly add value in curbing criminal activity throughout the year, especially during Black Friday and the holiday season?

• Threat environment analysis of an e-shop to detect risks and vulnerabilities and mitigate them before they are successfully exploited.
• Source code audits and security testing of web applications, APIs and mobile applications to detect and fix vulnerabilities.
• Fraud investigation, for example, detects fake websites and removes them before they are used to complete fraud.
• Brand and product protection services to fight against online piracy.
• Social engineering and phishing tests simulate fraudulent campaigns and improve a company’s professionals’ training and capacity building.
• DoS Test against e-commerce to simulate attacks in controlled environments, obtain actual load test data, check response time and evaluate backend systems’ resilience and ability to auto-scaling.
• Vulnerability management and emerging vulnerability detection services to detect e-commerce assets exposed to critical vulnerabilities and prioritize their mitigation.

In short, cyber-attacks against e-commerce can cause considerable economic losses, including the loss of profits associated with the paralysis of activities and reputational losses. Companies with online stores, particularly those whose business model is based solely on this marketing channel, must resort to cybersecurity and cyber intelligence services. To what end? To protect their business and their customers. Especially at a critical time like Black Friday and Christmas, when a large part of the annual turnover is obtained.