Industry Trends

Discussing Threats Around Online Shopping

By Derek Manky and Aamir Lakhani | November 27, 2020

FortiGuard Labs Perspectives

As many prepare for the holiday season and online shopping remains top of mind, cybercriminals are dusting off their old tricks and preparing for one of the busiest times of the year. The COVID-19 pandemic already drove an increase in online activity earlier this year and cyber adversaries have continued to leverage it as an opportunity for their attacks. They are now looking to target the higher traffic flows online as shoppers look for the latest holiday deals. Fortinet’s FortiGuard Labs’ Derek Manky and Aamir Lakhani provide some insight into how shoppers and enterprises can protect themselves. 

Q: How has the threat landscape grown in regards to e-commerce related attacks? 

Derek: - I think the holiday season for online shopping has definitely been a big driver to the growth of e-commerce-related attacks. Ever since the pandemic, people have naturally turned to online services, so the distribution of e-commerce attack attempts has increased. We’ve seen this surge before, but the difference now is that this surge is becoming a wave. Since the beginning of September, FortiGuard Labs research has shown a very steady, consistent wave of e-commerce attack type attempts. In October, we saw over a billion different attempts which is almost a 140% increase compared to last month. We also are seeing attacks that are preying on shoppers with fake advertisements and phishing.

Q: What are some growing cyberattack trends you’ve seen in the e-commerce space?

Aamir - It seems like the entirety of 2020 has been a constant online sale season. There are virtual queues for people to wait in, items running out of stock before you can make it to check out, and sometimes slower web processing due to high traffic. Attackers understand this and continue to launch attacks on shoppers attempting to exploit this reality. The most common attack trends are through phishing, malware, or man-in-the-middle attacks to take over wireless or proxy servers. They’re trying to direct online activity to a specific place, intercept transactions, or trick users in some way for their benefit. Unfortunately, businesses are susceptible to having information stolen too. The online holiday shopping season is usually a hugely profitable period for retailers, but cyberattacks have the ability to turn that all around. 

Derek - Web-based malware is definitely the most common attack form during the online shopping season. Cybercriminals place links or ads on trusted websites to lead shoppers away from the secure site they are browsing. This usually comes in the form of irresistible deals showing up on their page, to entice users into clicking on the link. It’s easy for them and efficient. We’ve also seen an increase in IoT and router-based attacks, mainly as a result of increased reliance on the home network—from work to e-learning. Cybercriminals aim to gain access to corporate information through home routers and online shopping or browsing.

Q: What advice would you give consumers leading into the online holiday shopping season?

Aamir - Pay special attention to what sites you’re visiting. In the rush and excitement of the shopping season, people tend to become less aware of their surroundings, so always double-check the validity of the site before purchasing anything. Be aware of deals that seem too good to be true. I personally make sure I am buying from well-known business establishments. Go to reputable websites or e-commerce sites that you've heard of before, because those will hopefully be safer. Of course, there are plenty of reputable local businesses as well. Make sure you have a good security software set up on your systems that will actively look for malware URLs, phishing URLs, and other types of malware that can get in your system. I would also recommend looking for more secure payment options. For example, some banks have begun offering things like dissolvable credit card numbers that are generated for a single transaction. Taking some refreshed information security awareness training is important too. 

Derek - I agree, being aware of the surroundings is definitely key. There’s a false sense of security people fall into when it comes to these virtual worlds. It’s important to make sure all devices are also up to date with necessary software patches. Accessing Public Wi-Fi via your personal or work devices tends to be a major security issue as well. Cybercriminals can leverage Rogue Access Points (APs) to hijack public Wi-Fi servers and gain access to your devices. I would advise against connecting to public servers unless connecting through a secure VPN connection. This is definitely a matter of remaining educated and aware of the potential threats and what to do to protect yourself. I agree information security awareness is key.

Q: What should enterprises do to secure their sites and protect customer data in the future? 

Derek - Outdated security is a big reason for repeated cyberattacks. We're still seeing basic misconfigurations on storage buckets and public cloud computing access systems. Some organizations need to have their systems more up to date to avoid attacks on vulnerabilities that already have solutions. Multi-factor authentication has also been adopted by many enterprises and is a relatively easy way to secure the traffic and lock down some of the basic misconfigurations. 

Aamir - Having up-to-date infrastructure definitely makes a difference. For those that do upgrade their websites, they may be upgrading the back end infrastructure of the website, but not necessarily be upgrading the e-commerce piece. E-Commerace systems are complicated, and have many moving parts, incuding supporting software and plugins that are sometimes managed and patched independently from the primary e-commerce application or website. In some cases, a single application suite can be upgraded, in more complicated systems, websites, databases, plug-ins, and supply chain software has to be managed, checked for vulnerabilities, and be upgraded. Best case scenario, all they have to do is upgrade a plug-in, worst case, it is something that is customized or very integrated into the system itself so it is hard to upgrade. Even seasoned security professionals have a difficult time securing all the pieces of these complicated systems, and sometimes vulnerabilities remain unpatched for long time. Attackers know about this, which is why they go back to old attacks because they have had success before. 

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolioSign up for the weekly Threat Brief from FortiGuard Labs. 

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert programNetwork Security Academy program, and FortiVet program.