The Hidden Costs Behind Black Friday Bargains

Uploaded on 2022-11-18 in NEWS-Cybersecurity News, FREE TO VIEW

The pandemic forced businesses to become creative and go digital as increasing online traffic acted as a catalyst for the inevitable rise of e-commerce retailing. According to data published by Statista, there are nearly 60 million e-commerce users now in the UK. Looking at how much is spent, statistics published by the Office for National Statistics show that in September this year [2022], 25% of retail sales were online. While this is a decline compared to online spending during the pandemic, it is still above the average 21% recorded towards the end of 2019.

With the current economic climate also squeezing many purses, there is likely to be a spike in online sales this November, as has been seen in previous years, as many capitalise on Black Friday sales. 

However, where there is action there are cyber hackers waiting to pounce. 

Stop Being An Easy Target 

Cyber criminals are constantly on the lookout for e-commerce victims to scam and Black Friday presents the perfect opportunity. Scammers will look to steal data, particularly credit card information shared during transactions. This information offers attackers a double payout as they can use the card details themselves for purchases, while also selling the data to other criminals on the Dark Web. And it's not just data that consumers can lose as fake promotions are also in abundance.

POS systems, in-store mobile devices and the rise of e-commerce platforms have all expanded the attack surface. This creates new opportunities for cyber attackers to get their hands on valuable customer data. The focus for most IT teams this time of year is on uptime, performance, throughput and availability to optimise retail transactions.

But timely patching and other security related updates shouldn’t fall by the wayside.

One of the most common attacks on e-commerce portals are SQL code injection attacks. This means that attackers abuse the fields that consumers use to provide their personal details, search for goods, and other functionality that enhances the customer experience. For example, sites will have free-text areas that consumers complete - with address details or delivery instructions - an operation that is replicated millions of times a day, in thousands of e-commerce portals. Criminals look for these free forms and instead insert a malicious code seeking to exploit vulnerabilities in the back-end software.

It was recently reported by Sansec that at least seven hacking groups were targeting Magento 2 websites with 'TrojanOrders' attacks, exploiting a vulnerability to inject malicious JavaScript code into an online store's website. Having compromised the store, threat actors can steal customers' information and credit card numbers when making a purchase.

Having compromised a website, scammers will then use phishing messages to dupe unsuspecting consumers to visit the site to complete the heist. This is made easier in the run up to the festive season with shoppers expecting many retail brands to run promotions. While emails purporting to offer expensive ticket items at vastly reduced prices would normally raise alarm bells. At a time when high discounts are offered, it can make it harder to detect fact from fiction. Links embedded in these messages direct the user to websites hackers have already hacked.

Making It Harder For Scammers

To make sure cyber grinches aren’t hiding within the infrastructure, retailers should perform a rigorous assessment of their systems to identify any vulnerable platforms that present a potential target for attackers to steal consumer data. Having identified any vulnerabilities or misconfigurations that exist in back-end systems, retailers should work to resolve these issues quickly, applying software updates if available, or limit access to those that can’t be updated to reduce the risk of an attacker exploiting the system

Investing in best practice cyber security should be a priority for today’s retail sector.

Neutralising cyber threats, vigilantly protecting consumer data across all channels and creating secure payment card transactions will be what protects businesses and their customers. Increased visibility into all assets, the network, and domains (including sub-domains) will provide retailers with an effective way to prioritise threats, reduce cyber risk and ensure they’re able to thrive in this festive season and beyond.

Retailers who fail to take precautionary measures risk major impacts to their bottom line, brand integrity and business continuity.  

Bernard Montel is Technical Director of EMEA for Tenable

You Might Also Read:

E-Commerce Site Exposed Children Worldwide:

 

« Cybersecurity Awareness: Simple Actions To Dial Up Digital Defences
Detected - A Hard Matching Vulnerability Which Enables Azure AD Account Takeover »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Social-Engineer

Social-Engineer

Social-Engineer is a team of outside–the–box thinkers that share a common focus on human-to-human social engineering.

GrammaTech

GrammaTech

GrammaTech is a leading developer of software-assurance tools and advanced cyber-security solutions.

NICE Systems

NICE Systems

NICE Systems provide software solutions to ensure compliance, fight financial crime, and safeguard people and assets.

Japan Network Security Association (JNSA)

Japan Network Security Association (JNSA)

JNSA's goal is to promote standardization related to network security and to contribute to greater technological standards in the field.

Privitar

Privitar

Privitar is leading the development and adoption of privacy engineering technology enabling our customers to innovate and leverage data with an uncompromising approach to data privacy.

Teramind

Teramind

Teramind provides a user-centric security approach to monitor employee behavior in order to identify suspicious activity, detect possible threats, monitor efficiency, and ensure industry compliance.

US Secret Service

US Secret Service

The US Secret Service has a pivotal role in securing the nation’s critical infrastructures, specifically in the areas of cyber, banking and finance.

Innosphere Ventures

Innosphere Ventures

Innosphere Ventures is Colorado’s leading science and technology incubator, accelerating the success of high-impact startup and scaleup companies.

Marlabs

Marlabs

Marlabs is a Digital Technology Solutions company that helps companies adopt digital transformation using a comprehensive framework including Digital Automation, Enterprise Analytics and Security.

ENSCO

ENSCO

The ENSCO group of companies provides engineering, science and advanced technology solutions that guarantee mission success, safety and security to governments and private industries worldwide.

Trilateral Research

Trilateral Research

Trilateral Research provide regulatory and policy advice; develop new data-driven technologies and contribute to the latest standards in safeguarding privacy, ethics and human rights.

Protexxa

Protexxa

Protexxa is a B2B SaaS cybersecurity platform that leverages Artificial Intelligence to rapidly identify, evaluate, predict, and resolve cyber issues for employees.

Synoptek

Synoptek

Synoptek is a global systems integrator and managed IT services provider (MSP). We offer comprehensive IT management and consultancy services to organizations worldwide.

Securin

Securin

Securin offers a comprehensive portfolio of solutions including Attack Surface Management, Vulnerability Intelligence, Penetration Testing, and Vulnerability Management.

Tychon

Tychon

Tychon develops advanced enterprise endpoint management technology that enables commercial and government organizations to bridge the gap between security and IT operations.

ioSENTRIX

ioSENTRIX

ioSENTRIX offers tailored, risk-focused assessments that reduce true business risk.