AS WE enter the season of global shopping festivals, we - as shoppers - don't think too much about online security when adding great deals to our check-out carts. Online shops and service providers are also busy gearing up for the wave of holiday shoppers. It is in these moments of festive distraction where users and businesses become easier targets for holiday hackers to make a quick buck.
The retail industry endured over 10 billion attempts at credential stuffing - cyber attacks using stolen account log-ins and passwords to gain unauthorised access, out of over 27 billion total attempts across all sectors in the span of eight months.
We cannot assume that hackers will take a break at a time when so much holiday money can be stolen. On average, Singaporeans spend about US$1,000 a year on online purchases, and local e-commerce can expect US$4.9 billion in revenue by New Year's Eve. For online stores, it is only a matter of time before a bad actor comes along to test a company's cyber defences.
Bots, good or bad?
By design, automated bots have many uses. Good bots are beneficial and they help to optimise Internet searches, for example. Bad bots, however, are designed to validate stolen credentials by flooding databases at popular websites (an act called credential stuffing), automate the phishing process, or conduct large-scale Distributed Denial of Service (DDoS) attacks that could halt online businesses.
Some best-known examples of bad bots at work are visible in the scalping industry. Shoppers might have failed to acquire highly-coveted tickets to performances by John Mayer, Jay Chou, and Korean boybands such as BTS from ticketing websites, only to find tickets available through resale platforms that charge up to 54 times its original retail price.
What is not known to fans and businesses is that hackers are using bad bots to instantaneously pick up high-demand goods on their behalf. At the same time, they use bots to record and test the payment credentials of consumers who purchase scalped goods.
Differentiating good from bad bots is difficult. It is thus critical to develop a smarter method to monitor, identify, and block advanced threats from bad bots.
Phishing is now social
Despite years of publicity, phishing remains the largest insider threat for a business. Specifically, in retail, phishing victims are consumers. In addition to other methods, criminals use phishing to target the industry by masquerading as popular brands and retail outlets. The individuals who fall for phishing scams by submitting information, or those who inadvertently install malicious applications, are the same people who contribute to a billion-dollar retail economy worldwide.
We saw this with US retail chain Target, which was targeted at the height of 2013's holiday season. The resulting data breach of 40 million accounts with compromised payment card details remains as one of the biggest phishing lessons for companies, as the attack started from a successful spear-phishing attempt against one of Target's vendors.
Today, we see bad actors widening their nets. Retailers can now expect holiday hackers to exploit social networks and capitalise on customers perceived trust and community of these platforms to obtain critical financial data. By going to great lengths to impersonate legitimate retailers and organisations, unsuspecting victims often fall for the false deals or scams. And unfortunately, original businesses have no sight of these exchanges and are often implicated for crimes that they did not commit.
To make matters worse, phishing is now commoditised, and hackers can easily purchase off-the-shelf phishing kits from illicit sites. These kits allow them to rapidly launch malignant campaigns via e-mails and social channels to target businesses and customers.
While most modern enterprises likely have protections in place, these are far from perfect; and relying on a single layer of defence against such rampant attacks is not best practice.
Shoring up cyber defences for the holidays
The retail industry is just as much of a target as any other, because of its wealth of personal and financial information. As we get closer to the holidays, threats and online traffic will spike, putting retailers and their shoppers at risk.
However, by placing a focus on managing bots, phishing attacks and shoppers' log-in credentials, retailers are in a better position to identify and mitigate malicious activity before it impacts their site visitors.
Multi-layered detection and mitigation tools, along with upskilling your IT teams with an eye toward security, are imperative for holiday preparedness. Higher awareness of the latest cyber threats also helps employees and consumers be better at spotting scams. Target, for example, has been active in educating its vendors and shoppers on ways to avoid phishing scams.
As the holiday shopping season nears, online stores should look at better securing their websites, and providing a great online experience to consumers. The cost of neglecting security during the holidays can be disastrous for some retailers and irreparable for others.
- The writer is senior director, Product Management, Security & Performance, Akamai APJ