After working with many small and mid-sized retailers in 2015, there is one thing they all have in common the assumption that hackers won’t bother with them. Actually it’s the reverse - criminals have figured out small companies are easier to penetrate, and go after them more frequently. Why go for one big hack, of say eBay or Facebook, when you can hack 5,000+ sites which NEVER take notice?
In spite of high-profile hacks such as against Apple, Cisco, or even the US Government, many online retailers still do not believe that they are at risk or have been a victim of undetected hacks by criminal groups.
In the 2015 Trustwave Global Security Report, retail was the top industry compromised, making up 41% of the attacks investigated. And 65% of those attacks were against e-commerce sites, where hackers target servers and databases that host card data.
Let’s all put our criminal hat on for a second and think about things.
PII (personally identifiable information) is GOLD to a hacker. It trades easy on the black market (dark web) and it’s value increases with more in-depth profiles such as username/pw, CC details, address, bill to, etc.
Who has PII data readily available? Online retailers!
Cybercriminals are highly skilled technically and are also business people, who know how to make money. A recent CNN article said this: “According to one European intelligence service, there are 20-30 criminal gangs in the former Soviet Union that have hacking skills as good as most nations. There are many other groups with lesser skills. These criminals are nimble and inventive, and there are thriving cybercrime black markets where you can buy the latest hacking tools.”
A recent Javelin Strategy & Research report found that financial institutions are doing a much better job than retailers when it comes to credit card security. Indeed, there are a number of online marketplaces and forums that solely exist to sell information gained by hackers, for example Rescator.la sells stolen credit and debit card information. In such places, customer databases from online stores are often the most expensive on the black market, because they contain correct, up-to-date and complete customer details, sometimes even with their credit card numbers.
Completeness is a very important factor for pricing on the black market. One customer record from an online store may generate a penny, while a thousand records can easily generate at least $10, or much more, depending on the records’ quality and completeness. For example spammers prefer to purchase e-mails from Internet retailers, simply because they will get a higher click-through rate, generating more revenue, as they can send targeted spam (by country, age, wealth, area of interests, etc.)
Hackers are also interested in the valuable information on shoppers’ computers, so e-commerce web sites are often infected with malware (an exploit pack targeting and exploiting vulnerabilities in Adobe products or popular browsers). Such attacks often remain unnoticed as they are conducted overnight or at weekends when security team is away. Experienced hackers can go undetected over a long period. For example, French computer hardware retailer LaCie disclosed in April 2014 that its web site had been breached by a malware attack that went undetected for a year. Following the breach, the retailer recommended that buyers check their credit card statements for any fraudulent charges, and keep an eye on their credit reports in case of identity theft.
The big-name breaches that hit headlines leave many small and midsized e-business owners believing that they will not be attacked, assuming their customer databases are not big enough. This assumption is wrong because in the majority of cases hackers are not looking for customers and data from a specific web shop, they are just looking for commercially exploitable data. The more, the better. It’s much easier, faster and cheaper to hack 50 small e-boutiques than hacking one big one. Moreover, the outcome in terms of number of stolen customer records will be almost the same, probably even bigger. Imagine how much it costs to compromise Amazon.
Large e-commerce retailers also have much more administrative, financial and legal resources to organize forensics and post-incident investigation, so many hackers try to avoid them. Instead, they often target small retailers that have no capability to fight back.
As only a small number of Black Hats have the necessary skills, time and resources to launch attacks against the biggest players in the e-commerce industry, hackers prefer to compromise a dozen small and medium online shops per day and get their money on the “every little bit helps” principle. Hacker groups use robots, hidden behind proxies, to crawl the Web in the 24/7/365 mode. They look for known vulnerabilities, outdated versions of web application software or just brute force default or weak passwords. One would be surprised how much information can be just found in Google. And if you have a crawling farm you can compromise thousands of web sites per hour.
Against this hacker onslaught, online retailers of all sizes need to employ an arsenal that is as flexible and up to date as the hackers’ tools. Retailers need to ensure that their hosting providers or data centers have stringent security procedures, that content management systems are up to date, third-party code is checked thoroughly before use and web sites are regularly audited for weaknesses through a combination of vulnerability scanning and penetration testing.