Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cybercriminals Gear Up for Holiday Shopping Season

With Black Friday and Cyber Monday just a few short days away and the memory of the Target breach still fresh, retailers are under heavy scrutiny. Cyber-criminals will be taking advantage of heavy traffic and increased sales to launch their campaigns this shopping season, and security teams need to be alert for suspicious activity, experts warned.

With Black Friday and Cyber Monday just a few short days away and the memory of the Target breach still fresh, retailers are under heavy scrutiny. Cyber-criminals will be taking advantage of heavy traffic and increased sales to launch their campaigns this shopping season, and security teams need to be alert for suspicious activity, experts warned.

Retail experts estimate this year’s shopping spending will total almost $750 billion this year, and the frenzy will kick off this week with Black Friday sales in stores and Cyber Monday deals online. 

The majority of these sales will rely on credit card transactions, and the past year has shown that payment card data is highly vulnerable. There has been a focus on point-of-sale (PoS) systems in brick-and-mortar locations and the shift to chip-based credit cards, but e-commerce transactions remain highly vulnerable to attack.

Security teams will need to be especially proactive in monitoring their confidential data and assets for any unusual activity, said TK Keanini, CTO at Lancope.

“We have seen throughout 2014 that cybercrime never stops,” Keanini said. “Attacks are likely to escalate even further in the coming weeks.”

While the breaches at Target and Neiman Marcus commanded most of the attention, there were plenty of attacks against retail Web applications during last year’s holiday shopping season.

In an analysis of more than a dozen retail Web applications, Imperva researchers found an average of 547 attacks per day between Nov. 14, 2013 and Jan. 9, 2014. To put this figure in context, the four-week period before the shopping season saw an average of 150 attacks per day, and 267 attacks on average in the four-week period after. The researchers found “a clear growth in the number of attacks during the holiday season,” Barry Shteiman, director of security strategy at Imperva, wrote in a blog post this week.

While it makes sense that there will be more attacks when there is more online traffic, Shteiman said the increase in attack statistics was “too significant.” Imperva said the surge in attack volume may be related to the perception that retail applications are more vulnerable during this time of the year, and that attackers are more likely to succeed, he said.

Advertisement. Scroll to continue reading.

Retailers roll out new pages promoting special sales and campaigns for the holiday season. Due to the temporary nature of these pages, it’s possible that they may have been built with unsafe third-party libraries or did not follow secure coding practices. Companies are also reluctant to fix bugs during the annual code-freeze, making it likely that some of these pages would remain vulnerable longer.

“Cyber-criminals are more motivated during this time of the year,” Shteiman wrote.

The analysis focused on SQL injection, directory traversal, and cross-site scripting attacks because the company’s Web Application Attack Report had ranked these methods as the top three attack types targeting retail Web applications. Imperva found in last year’s WAAR that retail Web applications twice as many SQL injections than other kinds of Web applications, and confirmed the trend in this year’s report.

A recent Gallup poll found that 69 percent of respondents were concerned about having their credit card information stolen from stores, and 62 percent were worried about having their computer or smartphone hacked. However, a recent Ponemon Institute survey of 1,000 consumers found that while nearly 50 percent were victims of a data breach, 45 percent have not changed their shopping behavior when using credit and debit cards.

Retailers may not have a lot of time left to do a full audit of the applications to find and fix issues, but they should be taking steps to know what new pages have been added to their application so that they can monitor those areas for any suspicious activity. This is not the time to relax existing security policies, either.

“Retail application providers should make sure to be prepared for a wave of cyber-attacks,” Shteiman said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.