Digital Skimming and Magecart
Lessons Learned: Q&A with CEO Omri Iluz on Cyber Monday and the Holiday Shopping Season
Lessons Learned: Q&A with CEO Omri Iluz on Cyber Monday and the Holiday Shopping Season
Today is Cyber Monday and a good time to share perspectives from Omri Iluz, PerimeterX Co-founder and CEO, on the lessons online retailers can leverage this holiday e-commerce shopping season.
How has web and mobile app security changed in the past few years?
Data breaches have contributed to the rise in account takeover (ATO) attacks and as a result, have been one of the most significant drivers for changes in cybersecurity. Data breaches have resulted in billions of username and password combinations being available on the dark web. This plethora of credentials has resulted in a 65% year over year increase in ATO attacks and $5.1 Billion in losses in 2018. ATO attacks can be devastating to users, who lose account access and personal data, and to retailers who experience increased operational costs and reduced revenues. It is imperative for online retailers to quickly review application security protocols and consider additional safeguards. Otherwise these businesses risk compromise and massive damages from ATO attacks including chargebacks, increased customer support requests, lost revenue, brand damage and fines.
What were some web and mobile app security lessons retailers learned from Black Friday and Cyber Monday in 2018?
One of the biggest lessons learned in 2018 was that cybercriminals and the bots they create are following shoppers from the desktop to the mobile device. This is creating an entirely new set of problems for online retailers because people and bots behave differently on mobile devices. Traditional techniques used to determine whether the user is a human or a bot – such as IP addresses affiliated with home broadband accounts – no longer apply. And attackers are changing their techniques such as calling an application’s API without using a mobile device, running attacks via mobile device emulators, and hacking an application or the device itself and then using the compromised asset to launch an attack.
What specific challenges are retailers currently facing in 2019 with regard to Cyber Monday and the holiday season, as they relate to web and mobile app security?
The main thing to keep on the radar is that revenue growth for retailers translates to both more shoppers and more bad actors. This is precisely why the 2019 holiday shopping season is expected to be big not only for online sales but also for losses due to malicious activity.
One key challenge to keep in mind is the increasing threat of a digital skimming attack known more commonly as Magecart. With more websites built with third-party code comes more security risk and more responsibility to make sure you know what every line of code is doing. Stepping up your defenses now will help you side-step the reputational risk and costly breach remediation efforts associated with Magecart that now average in the millions of dollars between staff time and customer damages.
Another challenge is the significant size of the bad bot problem:
- ATO attacks, where bots use stolen credentials to hijack customer accounts, have resulted in approximately $10 billion in losses over the past two years
- Malicious bots are largely responsible for the $6.5 billion to $19 billion in losses expected in 2019 from digital advertising fraud
- More than 50 percent of the traffic to retail sites overall comes from bots and they represent between 40 percent and 80 percent of retail login attempts
Unfortunately, the situation for retailers is likely to get even worse as bot and Magecart attacks continue to proliferate. The bottom line is that to properly defend their business interests, online retailers must prepare not only for several different types of attacks but also for increasing degrees of sophistication.
What common web and mobile app security mistakes do you see online retailers making—particularly during Cyber Monday and the holiday season?
The most common mistake retailers make is that they do not pay enough attention to the top five bot threats during holiday shopping season. These include: (1) account takeover where a bot take over a real user’s account, (2) carding attacks where bots use stolen credit cards to ring up charges, (3) checkout abuse where bots scalp or hoard products in tight supply, (4) web scraping bots that spy on pricing data and steal content, and (5) mobile bot attacks that occur as more and more bots follow shoppers from the desktop to the mobile device.
Another common mistake retailers make is their belief that their home-grown or first-generation solution can stand up to the test, only to find out it cannot when it is too late. The minimum requirements to keep pace with evolving bot attacks include: (1) a dedicated bot security team, (2) extensive data collection, (3) behavior-based detection (4) real-time threat analysis, (5) highly optimized massively parallel compute and (6) crowd-sourced intelligence. A home-grown bot management solution is cost-prohibitive, so a behavior-based solution powered by machine learning and security experts is a better deal.
A third mistake is not monitoring the third-party code on a retailer’s website. A recent study found that a mere 11% of website decision makers believe they have complete insight into the third-party scripts on their website, and only 31% believe they have addressed all of the vulnerabilities in their third-party scripts. As the recent string of Magecart attacks on retailers show, the risks associated with third-party code must be taken seriously before they result in data breaches, fines, negative impact to brand reputation and stock value.
What are some strategies retailers can implement to address or overcome these challenges?
As attacks grow more sophisticated, tools that detect behavioral changes are the best way to identify and manage them. But there are other signs to pay attention to as well.
Due to the massive number of breached records over the years, large databases of stolen credit cards are available for sale on the internet. Attackers use malicious bots to test stolen credit card data on a retailer’s website. To verify the cards work, attackers typically make a low-cost purchase, and only if successful do they place bigger orders and receive products or services using the fraudulent cards. So, it would be wise for retailers to pay attention to purchases of very small amounts followed by purchases of larger amounts since this can indicate carding fraud. Carding fraud can occur during a brute force attack on a retailer’s website using stolen credit cards. Another variant is gift card fraud which happens when attackers guess the gift card number or use numbers purchased off the dark web, and then steal the balance of a gift card. It’s critical to stop these attacks to avoid a negative experience for all involved.
Another strategy is to monitor third-party code to overcome the risk of potential digital skimming and Magecart attacks. Retailers can run static code analysis, take inventory of third-party code, perform code audits and run dynamic application security tools. Even better, they can deploy real-user runtime analysis powered by artificial intelligence and pattern matching to identify risks.
How does PerimeterX help retailers with these challenges and strategies—specifically during Cyber Monday and the holiday shopping season?
Cybercriminals use all kinds of bots, proxies and anonymization services that they can easily find on the Web to hide and to execute efficient, successful attacks that get past legacy forms of protection such as web application firewalls that look for known signatures and volumetric behavior, both easy to overcome with these tools. In response to these threats, today, we are seeing more modern security solutions like advanced bot detection and malicious activity detection that will analyze new attack patterns and not rely on IP reputation feeds or historic signatures. This new approach helps to filter out and mitigate these evolving attacks. The best solutions apply a combination of machine learning and behavioral analysis which are used against these kinds of bots and botnets.
PerimeterX solutions identify and stop automated attacks before they affect our customers’ websites, web applications or APIs. This reduces a retailer’s risk, protects their users and partners, and safeguards their proprietary content and information. We use machine learning to generate a constantly updated library of attack patterns based on interactions with applications, fingerprints from devices and network characteristics. Unlike other solutions, PerimeterX protects retailers against new threats not previously seen - a key differentiator from solutions that rely on dated, historical attack signatures and static profiles.
For more tips for retailers this holiday shopping season, see the blog E-tailers Beware: Five Bot Attacks to Watch Out for this Holiday Shopping Season.