With the coronavirus putting eCommerce front and center, it has unfortunately been joined by its cousin: online retail fraud. Conservative estimates put online sales at $630 billion this year. At the same time, a new report shows that fraudsters will take more than $12 billion off the table. That doesn’t count alienated customers who are ready to pull the trigger on social media with a bad review.
According to online security company Signal Sciences, eCommerce retailers deal with an average of 206,000 web attacks per month. Attacks happen constantly, with increasingly sophisticated tactics. Criminals now mimic the behavior of legitimate shoppers to hide their activity.
And as their activity rises, so do the attacks. The report found that attacks tend to spike on the 15th and 30th of each month, which is also when consumer shopping hits its highest levels.
“Attackers use a variety of sophisticated methods to attack eCommerce sites or abuse APIs that connect payment processors to online shopping carts,” the report states. “The goal of the attack is generally to steal credit card information, guess shopping cart tokens to take over the shopping session, or exfiltrate consumer account PII (personally identifiable information) that can be used to perpetrate other fraud.”
The main offender, constituting 29.8 percent of all eCommerce fraud, is still account takeover. Here’s how it works: When a fraudster finds or steals user credentials, they enter the account, change their settings (like email and phone number) and lock out the user. Next, the fraudster essentially takes over the account and purchases from the site. They can also run automated tests of the same credentials against other sites.
The report also found a new tactic, accounting for 6.4 percent of all attacks, called “backdoor files.” Technically, it’s an attempt to access APIs so hackers can get a deeper level of account detail.
“A backdoor file is often delivered via malware that identifies and exploits vulnerable components in a web application; in other cases, the hacker may simply use an unchanged default password to log into the user’s account,” the report says. “In either case, the installation of the backdoor file makes it possible for the hacker to negate normal two-step authentication procedures and access the system freely. Serving as the ‘keys to the kingdom’ for attackers, a backdoor file can be a highly lucrative type of attack, accounting for its strong and growing popularity.”
Backdoor file activity, unlike other fraud attack methods, has no pattern. The report’s authors found that attackers use a variety of methods until they succeed. The key to locking down an eCommerce site is executing automated actions based on the type of fraud being attempted.
“In the end, perhaps the goal of each individual or business alike should not be how to manage or detect fraud, but how to prevent it,” says Simona Negru, writing on eCommerce fraud in The Paypers. “If we are to look ahead into 2020, we should definitely keep a close eye on the ‘fraud agenda.’ As mentioned above, account takeover is a significant issue; the majority of successful ATOs come from credential stuffing attacks, where numerous unique IP addresses are used for logging into user accounts via bots and automated scripts.”