Guest post written and contributed by Reesha Dedhia, Cybersecurity Evangelist, PerimeterX
Digital transformation is at the forefront of the retail e-commerce industry. With the accelerated move from the physical storefront to the digital storefront comes increased attack surfaces by which cybercriminals can target businesses. As businesses rapidly shift more transactions to web and mobile applications, they also need to be proactive about safeguarding their applications from a wider variety of cyberattacks. PerimeterX works closely with YOTTAA to make it easier for businesses to implement protective solutions against bots as they undergo these changes. Here are four top threats that security and development teams should be aware of as they optimize their retail business in 2021.
1. Account takeover attacks
Account takeover (ATO) is a sophisticated instance of a brute force attack in which cybercriminals specifically target login credentials to take over an account. During these attacks, the attacker will leverage large data sets of username and password combinations. There are billions of such credentials that have been leaked throughout the last few years that are available for purchase via the dark web and other avenues. These are popular sources to steal login credentials for testing and validation.
Data breaches can result from a single machine rapidly testing and validating a set of credentials, which is typically easier to detect and block than the more advanced attacks that sometimes leverage up to hundreds of thousands of different bots and machines. This distributes the load to make it harder to distinguish the source. This also allows data breaches of higher volume to occur. In many cases, cybercriminals will attack various sites simultaneously to further spread the load and make the attack harder to detect.
As teams ramp up their digital transformation efforts, vulnerabilities to account takeover inevitably open up. Organizations should stay cautious and implement bot mitigation technology to detect fake account creation attempts in real time and automatically block bots from tarnishing their brand reputation.
2. Carding attacks
Carding attacks work in a similar fashion to account takeover — testing and verifying illicitly obtained personal information using bots. The big difference is that ATO attacks focus on the login page using stolen usernames and passwords while carding attacks focus on the checkout page using stolen credit card information.
Gift card cracking is a variation of carding attacks where cybercriminals use brute force to enumerate gift card numbers to figure out valid combinations. The stolen gift card numbers are then resold on the dark web or used to purchase goods. Gift cards don’t have the same level of protection as credit cards — they don’t have any cardholder names, bank account numbers, social security numbers, billing addresses or zip codes associated with them — which makes them easier targets. Additionally, many merchants provide a separate page for gift card balance checking, a feature that is widely abused by card cracking bots.
Businesses — particularly in e-commerce — benefit greatly from proactive threat management to safeguard their evolving web and mobile applications in real-time.
3. Shadow Code
Application developers often rely on open source libraries and third-party scripts in order to innovate faster and keep pace with evolving business needs. These libraries and third-party scripts in turn call other scripts, creating a digital supply chain of fourth-, fifth- and Nth-party scripts powering your web applications and websites. Industry estimates show that up to 70% of the scripts running on a typical website are third-party. This creates an opportunity for Shadow Code to enter the application.
Shadow Code is any code introduced into an application without formal approval or security validation. It is the application development equivalent of Shadow IT. It introduces unknown risks into the application and makes it difficult for the business to ensure data security and privacy, and to comply with regulations.
Shadow Code takes many forms. Here are just some of the ways it spreads through your web applications.
- Open source libraries used in first-party scripts developed and hosted by you
- Legitimate third-party scripts introduced without a formal approval process
- Fourth-, fifth- or Nth-party scripts that are loaded by your vendor without your direct knowledge
- Malicious scripts such as digital skimmers injected through brute-force attacks on your infrastructure or through your script supply chain
- Third-party plugins for your Content Management Systems or e-commerce platform
- Malicious code injected into first-party scripts by rogue insiders
Modern web and mobile applications shift logic to the client side to improve performance and enrich the user’s digital experience. This shift means that a significant portion of the application that now runs on your users’ browsers and mobile devices relies on JavaScript code. According to httparchive.org, between November 2010 and July 2020, use of client-side JavaScript code has increased over 411% for desktop and over 700% for mobile applications.
To effectively shine a light on Shadow Code, it behooves any business that is digitally evolving to invest in a solution that provides visibility into the code on their web apps.
4. Surges in traffic due to COVID and flash sales
Launch events, hype sales and limited edition items often cause an influx of traffic — of both legitimate users and nefarious scalper bots — to e-commerce web apps and put businesses’ digital infrastructure to the test. This use case has expanded to general swells in web traffic that PerimeterX observed during the COVID-19 pandemic.
To effectively protect against associated threats, one must have accurate bot management and user verification to allow legitimate users to access their web app at scale during periods of high traffic. DevOps and DevSecOps teams should be privy to all of this information in a central dashboard to help automate workflows and protect login pages from automated attacks. This should all be done while maintaining operational efficiency and preserving the customer experience by preventing scalper bots from overwhelming website infrastructure.
Closing Thoughts
To mitigate these four risks commonly associated with digital transformation, developers need to be included in the security flow to catch code flaws sooner and establish behavioral baselines required to safeguard modern, user-facing applications. CISOs also have an opportunity in this process to enable their engineering teams and be a leading force for change in their organization.
Making every developer a DevSecOps expert during digital transformation creates a far more holistic approach to web application and native application security. This approach is more proactive and preventative — and a lot less expensive and time consuming over the long haul. This approach is only one part of a broad and inevitable transition for all developers towards assuming more responsibility for application security — and creating a world where security starts with digital infrastructure.
Integrated with YOTTAA, PerimeterX solutions enable e-commerce brands to optimize their user experience, protect customer data and provide the best insights and workflows to drive business decisions. YOTTAA customers that use its E-commerce Acceleration Platform can apply PerimeterX Bot Defender through the YOTTAA network at the edge, before bots ever make contact with their site.
Learn more about this integration and how you can get set up in minutes to protect your web and mobile apps against automated attacks on the PerimeterX integrations page. Read about PerimeterX integrations including YOTTAA here.