The Hidden Costs Behind Black Friday Bargains

The pandemic forced businesses to become creative and go digital as increasing online traffic acted as a catalyst for the inevitable rise of e-commerce retailing. According to data published by Statista, there are nearly 60 million e-commerce users now in the UK. Looking at how much is spent, statistics published by the Office for National Statistics show that in September this year [2022], 25% of retail sales were online. While this is a decline compared to online spending during the pandemic, it is still above the average 21% recorded towards the end of 2019.

With the current economic climate also squeezing many purses, there is likely to be a spike in online sales this November, as has been seen in previous years, as many capitalise on Black Friday sales. 

However, where there is action there are cyber hackers waiting to pounce. 

Stop Being An Easy Target 

Cyber criminals are constantly on the lookout for e-commerce victims to scam and Black Friday presents the perfect opportunity. Scammers will look to steal data, particularly credit card information shared during transactions. This information offers attackers a double payout as they can use the card details themselves for purchases, while also selling the data to other criminals on the Dark Web. And it's not just data that consumers can lose as fake promotions are also in abundance.

POS systems, in-store mobile devices and the rise of e-commerce platforms have all expanded the attack surface. This creates new opportunities for cyber attackers to get their hands on valuable customer data. The focus for most IT teams this time of year is on uptime, performance, throughput and availability to optimise retail transactions.

But timely patching and other security related updates shouldn’t fall by the wayside.

One of the most common attacks on e-commerce portals are SQL code injection attacks. This means that attackers abuse the fields that consumers use to provide their personal details, search for goods, and other functionality that enhances the customer experience. For example, sites will have free-text areas that consumers complete - with address details or delivery instructions - an operation that is replicated millions of times a day, in thousands of e-commerce portals. Criminals look for these free forms and instead insert a malicious code seeking to exploit vulnerabilities in the back-end software.

It was recently reported by Sansec that at least seven hacking groups were targeting Magento 2 websites with 'TrojanOrders' attacks, exploiting a vulnerability to inject malicious JavaScript code into an online store's website. Having compromised the store, threat actors can steal customers' information and credit card numbers when making a purchase.

Having compromised a website, scammers will then use phishing messages to dupe unsuspecting consumers to visit the site to complete the heist. This is made easier in the run up to the festive season with shoppers expecting many retail brands to run promotions. While emails purporting to offer expensive ticket items at vastly reduced prices would normally raise alarm bells. At a time when high discounts are offered, it can make it harder to detect fact from fiction. Links embedded in these messages direct the user to websites hackers have already hacked.

Making It Harder For Scammers

To make sure cyber grinches aren’t hiding within the infrastructure, retailers should perform a rigorous assessment of their systems to identify any vulnerable platforms that present a potential target for attackers to steal consumer data. Having identified any vulnerabilities or misconfigurations that exist in back-end systems, retailers should work to resolve these issues quickly, applying software updates if available, or limit access to those that can’t be updated to reduce the risk of an attacker exploiting the system

Investing in best practice cyber security should be a priority for today’s retail sector.

Neutralising cyber threats, vigilantly protecting consumer data across all channels and creating secure payment card transactions will be what protects businesses and their customers. Increased visibility into all assets, the network, and domains (including sub-domains) will provide retailers with an effective way to prioritise threats, reduce cyber risk and ensure they’re able to thrive in this festive season and beyond.

Retailers who fail to take precautionary measures risk major impacts to their bottom line, brand integrity and business continuity.  

Bernard Montel is Technical Director of EMEA for Tenable

You Might Also Read:

E-Commerce Site Exposed Children Worldwide:

 

« Cybersecurity Awareness: Simple Actions To Dial Up Digital Defences
Detected - A Hard Matching Vulnerability Which Enables Azure AD Account Takeover »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Messageware

Messageware

Messageware is the market leader in securing, enhancing, and customizing Microsoft Exchange and Outlook Web App.

InfoSec World

InfoSec World

InfoSec World conference and expo covers all aspects of information security with a broad agenda of sessions on key security issues.

Intrusion

Intrusion

Intrusion provides IT professionals with the most robust tool set available for performing in-depth research and analysis of network traffic.

Accolade Technology

Accolade Technology

Accolade provides the most technologically advanced host cpu offload, 100% packet capture FPGA-based PCIe adapters and 1U platforms available in the network monitoring and cyber security markets.

achelos

achelos

achelos is an independent software development company providing innovative technical solutions for micro-processor chips / security chips and embedded systems in security-critical application fields.

National Digital Exploitation Centre (NDEC) - United Kingdom

National Digital Exploitation Centre (NDEC) - United Kingdom

NDEC is a project to create a centre of cyber and digital development and education for the UK. It will offer training in digital practices, cyber security and research.

InterVision

InterVision

InterVision is a leading Strategic Services Provider, assisting businesses in driving value and gaining a competitive edge by helping IT Leaders solve the most crucial challenges they face.

iZOOlogic

iZOOlogic

iZOOlogic protects hundreds of the world’s leading brands, across banking, finance and government from cybercrime. We provide strong cyber defence solutions to protect client digital assets.

Keyless Technologies

Keyless Technologies

Simple, secure, and interoperable authentication. Keyless offers unmatched security, privacy and usability, while reducing risk and infrastructure costs.

Hackinsure

Hackinsure

Front Row Insurance’s Hackinsure provides protection against online hazards including Cyber Liability, Theft & Fraud, Business Interruption, Extortion & Ransomware, Forensic Investigation.

Electric Power Research Institute (EPRI)

Electric Power Research Institute (EPRI)

The Electric Power Research Institute’s Cyber Security Research Laboratory (CSRL) addresses the security issues of critical functions of electric utilities.

ProLion

ProLion

ProLion provides Data Integrity solutions that ensure organisations’ data remains secure, compliant, manageable and accessible.

Orbus Software

Orbus Software

Orbus develops, markets and sells enterprise software which helps large, blue chip and government organisations across the globe to achieve digital transformation outcomes.

The Security Bulldog

The Security Bulldog

The Security Bulldog distills and assimilates open source cyber intelligence to enable security teams to understand threats more quickly, make better decisions, and accelerate detection and response.

Prikus Tech

Prikus Tech

Prikus is a full-fledged Cyber Security Company helping organizations worldwide to manage cyber risks. We offer Risk & Compliance Services, Security Testing & Managed Security Services.

Silent Circle

Silent Circle

Silent Circle is the leader in end-to-end enterprise solutions for secure mobile communications.