The Hidden Costs Behind Black Friday Bargains

The pandemic forced businesses to become creative and go digital as increasing online traffic acted as a catalyst for the inevitable rise of e-commerce retailing. According to data published by Statista, there are nearly 60 million e-commerce users now in the UK. Looking at how much is spent, statistics published by the Office for National Statistics show that in September this year [2022], 25% of retail sales were online. While this is a decline compared to online spending during the pandemic, it is still above the average 21% recorded towards the end of 2019.

With the current economic climate also squeezing many purses, there is likely to be a spike in online sales this November, as has been seen in previous years, as many capitalise on Black Friday sales. 

However, where there is action there are cyber hackers waiting to pounce. 

Stop Being An Easy Target 

Cyber criminals are constantly on the lookout for e-commerce victims to scam and Black Friday presents the perfect opportunity. Scammers will look to steal data, particularly credit card information shared during transactions. This information offers attackers a double payout as they can use the card details themselves for purchases, while also selling the data to other criminals on the Dark Web. And it's not just data that consumers can lose as fake promotions are also in abundance.

POS systems, in-store mobile devices and the rise of e-commerce platforms have all expanded the attack surface. This creates new opportunities for cyber attackers to get their hands on valuable customer data. The focus for most IT teams this time of year is on uptime, performance, throughput and availability to optimise retail transactions.

But timely patching and other security related updates shouldn’t fall by the wayside.

One of the most common attacks on e-commerce portals are SQL code injection attacks. This means that attackers abuse the fields that consumers use to provide their personal details, search for goods, and other functionality that enhances the customer experience. For example, sites will have free-text areas that consumers complete - with address details or delivery instructions - an operation that is replicated millions of times a day, in thousands of e-commerce portals. Criminals look for these free forms and instead insert a malicious code seeking to exploit vulnerabilities in the back-end software.

It was recently reported by Sansec that at least seven hacking groups were targeting Magento 2 websites with 'TrojanOrders' attacks, exploiting a vulnerability to inject malicious JavaScript code into an online store's website. Having compromised the store, threat actors can steal customers' information and credit card numbers when making a purchase.

Having compromised a website, scammers will then use phishing messages to dupe unsuspecting consumers to visit the site to complete the heist. This is made easier in the run up to the festive season with shoppers expecting many retail brands to run promotions. While emails purporting to offer expensive ticket items at vastly reduced prices would normally raise alarm bells. At a time when high discounts are offered, it can make it harder to detect fact from fiction. Links embedded in these messages direct the user to websites hackers have already hacked.

Making It Harder For Scammers

To make sure cyber grinches aren’t hiding within the infrastructure, retailers should perform a rigorous assessment of their systems to identify any vulnerable platforms that present a potential target for attackers to steal consumer data. Having identified any vulnerabilities or misconfigurations that exist in back-end systems, retailers should work to resolve these issues quickly, applying software updates if available, or limit access to those that can’t be updated to reduce the risk of an attacker exploiting the system

Investing in best practice cyber security should be a priority for today’s retail sector.

Neutralising cyber threats, vigilantly protecting consumer data across all channels and creating secure payment card transactions will be what protects businesses and their customers. Increased visibility into all assets, the network, and domains (including sub-domains) will provide retailers with an effective way to prioritise threats, reduce cyber risk and ensure they’re able to thrive in this festive season and beyond.

Retailers who fail to take precautionary measures risk major impacts to their bottom line, brand integrity and business continuity.  

Bernard Montel is Technical Director of EMEA for Tenable

You Might Also Read:

E-Commerce Site Exposed Children Worldwide:

 

« Cybersecurity Awareness: Simple Actions To Dial Up Digital Defences
Detected - A Hard Matching Vulnerability Which Enables Azure AD Account Takeover »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Teneo

Teneo

Teneo is a Solutions Provider focused on reducing complexity. We combine leading technology with deep expertise to create new ideas on how to simplify IT operations.

Qualys

Qualys

Qualys is a pioneer and leading provider of cloud security and compliance solutions.

MSAB

MSAB

MSAB is a pioneer in forensic technology for mobile device examination.

CYBER 1

CYBER 1

CYBER 1 provides cyber security solutions to customers wanting to be resilient against new and existing threats.

CSIRT Panama

CSIRT Panama

CSIRT Panama is the national Computer Incident Response Team for Panama.

Executive Women's Forum (EWF)

Executive Women's Forum (EWF)

The Executive Women's Forum is the largest member organization serving emerging leaders and influential female executives in the Information Security, Risk Management and Privacy industries.

The Data Privacy Group

The Data Privacy Group

The Data Privacy Group provide expert professional services underpinned by world leading automation tools and a consulting team specialized in privacy and data protection.

Bottomline Technologies

Bottomline Technologies

Bottomline Technologies is an innovator in business payment automation technology, helping companies make complex business payments simple, smart and secure.

BrainChip

BrainChip

BrainChip is the leading provider of neuromorphic computing solutions, a type of artificial intelligence that is inspired by the biology of the human neuron - spiking neural networks.

CloudMask

CloudMask

CloudMask patent technology provides Dynamic Data Masking (DDM) that masks sensitive data, structured or non-structured, in real-time.

HKCERT

HKCERT

HKCERT is the centre for coordination of computer security incident response for local enterprises and Internet Users in Hong Kong.

Procsima Group

Procsima Group

Procsima Group was created to help you achieve good IT management and security excellence.

BugDazz

BugDazz

BugDazz pentest as a service (PTaaS) platform helps bringing in real-time results, detail coverage, & easy remediation workflows with compliance-ready reports.

Cybergroot

Cybergroot

Cybergroot provides Cybersecurity Assessment services and professional Information Security trainings.

Sidcon International Consulting Company

Sidcon International Consulting Company

SIDCON International Consulting Company has been providing consulting services since 2002 for private and public organizations in Ukraine and other countries.

Securily

Securily

Securily offers the ultimate solution for small to medium-sized businesses, blending cutting-edge AI with expert human insight to deliver the world’s easiest and most effective pentesting experience.