The Hidden Costs Behind Black Friday Bargains

The pandemic forced businesses to become creative and go digital as increasing online traffic acted as a catalyst for the inevitable rise of e-commerce retailing. According to data published by Statista, there are nearly 60 million e-commerce users now in the UK. Looking at how much is spent, statistics published by the Office for National Statistics show that in September this year [2022], 25% of retail sales were online. While this is a decline compared to online spending during the pandemic, it is still above the average 21% recorded towards the end of 2019.

With the current economic climate also squeezing many purses, there is likely to be a spike in online sales this November, as has been seen in previous years, as many capitalise on Black Friday sales. 

However, where there is action there are cyber hackers waiting to pounce. 

Stop Being An Easy Target 

Cyber criminals are constantly on the lookout for e-commerce victims to scam and Black Friday presents the perfect opportunity. Scammers will look to steal data, particularly credit card information shared during transactions. This information offers attackers a double payout as they can use the card details themselves for purchases, while also selling the data to other criminals on the Dark Web. And it's not just data that consumers can lose as fake promotions are also in abundance.

POS systems, in-store mobile devices and the rise of e-commerce platforms have all expanded the attack surface. This creates new opportunities for cyber attackers to get their hands on valuable customer data. The focus for most IT teams this time of year is on uptime, performance, throughput and availability to optimise retail transactions.

But timely patching and other security related updates shouldn’t fall by the wayside.

One of the most common attacks on e-commerce portals are SQL code injection attacks. This means that attackers abuse the fields that consumers use to provide their personal details, search for goods, and other functionality that enhances the customer experience. For example, sites will have free-text areas that consumers complete - with address details or delivery instructions - an operation that is replicated millions of times a day, in thousands of e-commerce portals. Criminals look for these free forms and instead insert a malicious code seeking to exploit vulnerabilities in the back-end software.

It was recently reported by Sansec that at least seven hacking groups were targeting Magento 2 websites with 'TrojanOrders' attacks, exploiting a vulnerability to inject malicious JavaScript code into an online store's website. Having compromised the store, threat actors can steal customers' information and credit card numbers when making a purchase.

Having compromised a website, scammers will then use phishing messages to dupe unsuspecting consumers to visit the site to complete the heist. This is made easier in the run up to the festive season with shoppers expecting many retail brands to run promotions. While emails purporting to offer expensive ticket items at vastly reduced prices would normally raise alarm bells. At a time when high discounts are offered, it can make it harder to detect fact from fiction. Links embedded in these messages direct the user to websites hackers have already hacked.

Making It Harder For Scammers

To make sure cyber grinches aren’t hiding within the infrastructure, retailers should perform a rigorous assessment of their systems to identify any vulnerable platforms that present a potential target for attackers to steal consumer data. Having identified any vulnerabilities or misconfigurations that exist in back-end systems, retailers should work to resolve these issues quickly, applying software updates if available, or limit access to those that can’t be updated to reduce the risk of an attacker exploiting the system

Investing in best practice cyber security should be a priority for today’s retail sector.

Neutralising cyber threats, vigilantly protecting consumer data across all channels and creating secure payment card transactions will be what protects businesses and their customers. Increased visibility into all assets, the network, and domains (including sub-domains) will provide retailers with an effective way to prioritise threats, reduce cyber risk and ensure they’re able to thrive in this festive season and beyond.

Retailers who fail to take precautionary measures risk major impacts to their bottom line, brand integrity and business continuity.  

Bernard Montel is Technical Director of EMEA for Tenable

You Might Also Read:

E-Commerce Site Exposed Children Worldwide:

 

« Cybersecurity Awareness: Simple Actions To Dial Up Digital Defences
Detected - A Hard Matching Vulnerability Which Enables Azure AD Account Takeover »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Paessler

Paessler

Paessler is a leading worldwide provider of network monitoring software.

Clearwater Security & Compliance

Clearwater Security & Compliance

Clearwater Compliance specialize in Privacy, Security, Compliance and Risk Management Solutions for Health Care, Law Firms and other businesses.

Sparta Consulting

Sparta Consulting

Sparta Consulting is an information management and business development full service provider.

VerSprite

VerSprite

VerSprite is a specialist information security consulting firm. We provide organizations with detection across all their attack surfaces and deliver critical insight into all possible attack methods.

Euro-Recycling

Euro-Recycling

Euro-Recycling is a leading UK provider of Secure On-Site Data Media Destruction Services.

Converge Technology Solutions

Converge Technology Solutions

Converge Technology Solutions Corp. is a North American IT solution provider delivering advanced analytics, cloud, cybersecurity, and managed services solutions.

Portshift

Portshift

Portshift leverages the power of Kubernetes and Service-Mesh to deliver a single source of truth for containers and cloud-native applications security.

DataExpert Singapore

DataExpert Singapore

DataExpert Singapore provide solutions and services in the areas of Digital Forensics, Data Recovery, Data Duplication, Data Degaussing & Wiping, Data Destruction, and IT Disposal.

AML Global Solutions (AMLGS)

AML Global Solutions (AMLGS)

AMLGS delivers Financial Crime prevention training programmes and consultancy services encompassing Anti-Money Laundering (AML), Counter Terrorism Financing (CTF), Bribery & Corruption and Fraud.

Vectra AI

Vectra AI

Vectra threat detection & response - see and stop threats across hybrid and multi-cloud enterprises.

CyberconIQ

CyberconIQ

CyberconIQ provide an integrated Human Defense Platform that reduces the probability and/or the cost of a cybersecurity breach by measurably improving our clients risk posture and compliance culture.

Trackd

Trackd

At trackd, we’re re-imaging vulnerability remediation for the benefit of the entire cyber security community. Automating Vulnerability Remediation without the Fear of Disruption.

RunReveal

RunReveal

RunReveal's mission is to make sure no breach goes undetected. That means having a product that is accessible and effective for companies of all sizes.

Alpha Echo

Alpha Echo

Specialising in security advice and enterprise-wide Cyberworthiness, Alpha Echo helps Australia deliver on cyber outcomes at a military grade level.

Offenso Hackers Academy

Offenso Hackers Academy

At Offenso we focus on cyber security training focused on producing cyber security professionals with a wide range of abilities to counter threats from the internet and cloud to a business.

Ncontracts

Ncontracts

Our mission at Ncontracts is to continually improve our clients’ ability to manage risk and compliance.