The Hidden Costs Behind Black Friday Bargains

Uploaded on 2022-11-18 in NEWS-News Analysis, FREE TO VIEW

The pandemic forced businesses to become creative and go digital as increasing online traffic acted as a catalyst for the inevitable rise of e-commerce retailing. According to data published by Statista, there are nearly 60 million e-commerce users now in the UK. Looking at how much is spent, statistics published by the Office for National Statistics show that in September this year [2022], 25% of retail sales were online. While this is a decline compared to online spending during the pandemic, it is still above the average 21% recorded towards the end of 2019.

With the current economic climate also squeezing many purses, there is likely to be a spike in online sales this November, as has been seen in previous years, as many capitalise on Black Friday sales. 

However, where there is action there are cyber hackers waiting to pounce. 

Stop Being An Easy Target 

Cyber criminals are constantly on the lookout for e-commerce victims to scam and Black Friday presents the perfect opportunity. Scammers will look to steal data, particularly credit card information shared during transactions. This information offers attackers a double payout as they can use the card details themselves for purchases, while also selling the data to other criminals on the Dark Web. And it's not just data that consumers can lose as fake promotions are also in abundance.

POS systems, in-store mobile devices and the rise of e-commerce platforms have all expanded the attack surface. This creates new opportunities for cyber attackers to get their hands on valuable customer data. The focus for most IT teams this time of year is on uptime, performance, throughput and availability to optimise retail transactions.

But timely patching and other security related updates shouldn’t fall by the wayside.

One of the most common attacks on e-commerce portals are SQL code injection attacks. This means that attackers abuse the fields that consumers use to provide their personal details, search for goods, and other functionality that enhances the customer experience. For example, sites will have free-text areas that consumers complete - with address details or delivery instructions - an operation that is replicated millions of times a day, in thousands of e-commerce portals. Criminals look for these free forms and instead insert a malicious code seeking to exploit vulnerabilities in the back-end software.

It was recently reported by Sansec that at least seven hacking groups were targeting Magento 2 websites with 'TrojanOrders' attacks, exploiting a vulnerability to inject malicious JavaScript code into an online store's website. Having compromised the store, threat actors can steal customers' information and credit card numbers when making a purchase.

Having compromised a website, scammers will then use phishing messages to dupe unsuspecting consumers to visit the site to complete the heist. This is made easier in the run up to the festive season with shoppers expecting many retail brands to run promotions. While emails purporting to offer expensive ticket items at vastly reduced prices would normally raise alarm bells. At a time when high discounts are offered, it can make it harder to detect fact from fiction. Links embedded in these messages direct the user to websites hackers have already hacked.

Making It Harder For Scammers

To make sure cyber grinches aren’t hiding within the infrastructure, retailers should perform a rigorous assessment of their systems to identify any vulnerable platforms that present a potential target for attackers to steal consumer data. Having identified any vulnerabilities or misconfigurations that exist in back-end systems, retailers should work to resolve these issues quickly, applying software updates if available, or limit access to those that can’t be updated to reduce the risk of an attacker exploiting the system

Investing in best practice cyber security should be a priority for today’s retail sector.

Neutralising cyber threats, vigilantly protecting consumer data across all channels and creating secure payment card transactions will be what protects businesses and their customers. Increased visibility into all assets, the network, and domains (including sub-domains) will provide retailers with an effective way to prioritise threats, reduce cyber risk and ensure they’re able to thrive in this festive season and beyond.

Retailers who fail to take precautionary measures risk major impacts to their bottom line, brand integrity and business continuity.  

Bernard Montel is Technical Director of EMEA for Tenable

You Might Also Read:

E-Commerce Site Exposed Children Worldwide:

 

« Cybersecurity Awareness: Simple Actions To Dial Up Digital Defences
Detected - A Hard Matching Vulnerability Which Enables Azure AD Account Takeover »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Council of European Professional Informatics Societies (CEPIS)

Council of European Professional Informatics Societies (CEPIS)

CEPIS is the representative body of national informatics associations throughout Europe and represent over 450,000 ICT and informatics professionals in 32 countries.

BackBox Software

BackBox Software

BackBox is a leading provider of solutions for automated backup and recovery software for security and network devices.

CamCERT

CamCERT

CamCERT is the national Computer Emergency Response Team for Cambodia.

Tigerscheme

Tigerscheme

Tigerscheme is a certification scheme for information security specialists, backed by University standards and covering a wide range of expertise.

Cybertech

Cybertech

Cybertech Conference & Exhibition presents commercial problem solving strategies and solutions for the global cyber threat that meet the diverse challenges for a wide range of sectors.

iSolutions

iSolutions

iSolutions is an official reseller and engineering company of leading products and solutions for cybersecurity and information protection, optimization, visualization and control of applications

Emagined Security

Emagined Security

Emagined Security is a leading provider of professional services for Information Security and Compliance solutions.

Industrial Defender

Industrial Defender

Committed to ICS Cybersecurity. Industrial Defender provides a fully automated solution to discover, track and report on assets across your ICS footprint.

Netography

Netography

Netography provides a scalable and reliable platform for detection & remediation of cyber threats found on your network.

EYE Security

EYE Security

EYE provides enterprise-grade cyber security services and cyber insurance to SMEs in Europe, Cyber Incident Response and strategic advice in board rooms.

Association of anti Virus Asia Researchers (AVAR)

Association of anti Virus Asia Researchers (AVAR)

AVAR's mission is to prevent the spread of and damage caused by malicious software, and to develop cooperative relationships among anti-malware experts in Asia.

CrowdSec

CrowdSec

CrowdSec is an open-source & participative IPS able to analyze visitor behavior by parsing logs & provide an adapted response to all kinds of attacks.

Navisite

Navisite

Navisite is a combination of eight respected IT consulting and managed service providers that were brought together under the Navisite brand.

OX Security

OX Security

OX is a DevOps software supply chain security solution. Teams can verify the integrity and security of every artifact using a pipeline bill of materials (PBOM).

risk3sixty

risk3sixty

Risk3sixty are information and cyber risk management craftsmen helping build business-first security and compliance programs.

Nightwing

Nightwing

Nightwing is the intelligence services company that continually redefines the edge of the possible to keep advancing our national security interests.