Shopping season is here, and with that, so is the opportunity for ecommerce site owners to grow their revenue and reputation. However, hackers are also busy infecting ecommerce websites with malware, such as:
- Credit Card Swipers
- Malicious Payment Gateways
- Malware Downloads
Now is the time when attackers target those last-minute shoppers buying products online.
Over the last few years, it has become increasingly popular for attackers to execute credit card fraud against ecommerce shoppers generating big money by abusing and selling stolen customer information.
As a website owner, you cannot afford to ignore hacker activities. Doing so can leave you at risk of blacklisting by Google and PCI compliance violations. It’s important to understand the risks to ecommerce websites and the tools available to help mitigate attacks.
Credit Card Swipers
Also known as credit card stealers, swiping can happen when a piece of malware is injected into your checkout process which leads to credit card information getting into the attacker’s hands.
Card swipers are often injected by attackers who exploit vulnerabilities in website software and extensions. Many attackers will exploit a website months in advance, inject a backdoor to retain access, and then just leave it there, lying dormant. It’s a matter of time before attackers execute the campaign to steal sensitive or personal information from the infected ecommerce website.
Depending on the type of infection, the hacker can retrieve the content of every POST request; these contain the stolen data being sent to the malicious email account or server for storage.
Malicious Payment Gateways
Even if you use a trusted, external payment gateway, like PayPal or Authorize.net, hackers can still infect your website and change where the payment is going.
By redirecting the payment gateway or cloning the checkout page in a phishing attempt, the hacker is making it so that the buyer is unable to see the difference. Hackers intercept the credit card information while in transit through the payment process. At the same time, the ecommerce site owner loses out on sales.
This is the reason why PCI compliance is of such importance for ecommerce sites. The first requirement is to have a website firewall that can prevent attackers from being able to change the payment gateway.
Malware Downloads
This type of attack is not specific to ecommerce sites, but it has impacts that can be devastating during peak shopping season.
If an attacker gains access to an ecommerce site through vulnerable software or poor user credentials, hackers can inject malicious scripts that infect visitor’s computers. We wrote about a Magento site last week that was compromised and serving malware to customers who were trying to purchase electronics.
However, Google and many antivirus companies will be able to detect these malicious scripts, which can result in a website being blacklisted. This instantly causes a massive drop in traffic – over 95% of visitors refuse to enter a website when a big red screen is telling them it’s unsafe to proceed.
Security for Ecommerce Sites
These ecommerce risks will have variants and will always be evolving to evade detection by website owners. When it comes to looking at the common risks for ecommerce site owners, we need to know that there will be certain conditions that make a website vulnerable. It may be a weak third-party extension or an unpatched version of your CMS. Make sure website software is always up to date.
You can scan your site for indicators of compromise. We recommend our free SiteCheck scanner, however keep in mind that many hacks are not externally visible in the source code. This is all about exploiting your customers through malicious code that may not be visible and could be hidden in your website files or database. This is why it’s important to consider using a cloud-based security system that offers deep detection and protects against ecommerce risks.
Keep your business safe and profitable with this checklist:
- Use a secure payment gateway for processing transactions.
- Protect against hackers with a WAF.
- Enforce the use of strong passwords across all user accounts.
- Choose roles carefully using the principle of least privilege.
- Use an integrity monitoring system to alert you of unauthorized changes to your website.
- Monitor your access logs for suspicious behavior.
- Use SSL certificate to encrypt traffic and protect your visitor’s personal information.
Bonus tip: Sustain performance, mitigate traffic increases and DDoS attacks with a secure CDN. Sucuri includes this and much more on our all-in-one website security platform.
Strive this season to make sure your business is properly protected. Keep in mind the U.S. National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyber attack, which is why 30% of Americans cite ‘security concerns’ as a key factor in preventing them from shopping online.
The more you know, the more effectively you can prevent or respond to a breach. Stay safe this season!
Denis Sinegubko
Victor Santoyo
Rianna MacLeod
Ashley Sand
Sucuri Malware Research Team
John Castro
Daniel Cid
Juliana Lewis
Liam Smith