Target and Toys R Us posted overall sales declines during the holidays.
Many small and midsized retailers assume hackers won’t bother with them. But criminals have figured out small companies are easier to penetrate, and go after them frequently, warns a security expert.
In spite of high-profile hacks such as against eBay, many Internet retailers still do not believe that they are at risk or have been a victim of undetected hacks by criminal groups.
In the 2014 Trustwave Global Security Report, retail was the top industry compromised, making up 35% of the attacks investigated. And 54% of those attacks were against e-commerce sites, where hackers target servers and databases that host card data.
However, many online retailers still seriously underestimate the [black] market value of the data they possess and handle. Just take a look at Pastebin.com—the simple online text storage and sharing platform is being used by hackers to store stolen information.
Hackers use Pastebin to prove that they conducted a successful hack. Earlier this year, as part of our security research, we found 311,095 user credentials (login/password pairs) for various services, web sites and e-mails, compromised during the last 12 months. In many cases other personal details, such as credit card numbers, addresses and phone numbers of the victims were also published by the hackers. On average each leak record on Pastebin contained 1,000 user credentials.
Pastebin is just one illustration of the “dark side” of the Internet, where online retailers can check if web site vulnerabilities have been exploited and if their customers’ data is being targeted.
With the rise of the Big Data trend, information collection and analysis is becoming more important for online retailers. With more data comes more opportunity for hackers, who are looking for data/records to sell for profit. A report by Risk Based Security and the Open Security Foundation found that in 2013 there were 2,164 data breach incidents exposing 822 million data records. And 59.8% of reported incidents were the result of hacking, which accounted for 72% of exposed records.
Cybercriminals are highly skilled technically and are also business people, who know how to make money. A recent CNN article said this: “According to one European intelligence service, there are 20-30 criminal gangs in the former Soviet Union that have hacking skills as good as most nations. There are many other groups with lesser skills. These criminals are nimble and inventive, and there are thriving cybercrime black markets where you can buy the latest hacking tools.”
A recent Javelin Strategy & Research report found that financial institutions are doing a much better job than retailers when it comes to credit card security. Indeed, there are a number of online marketplaces and forums that solely exist to sell information gained by hackers, for example Rescator.la sells stolen credit and debit card information. In such places, customer databases from online stores are often the most expensive on the black market, because they contain correct, up-to-date and complete customer details, sometimes even with their credit card numbers.
Completeness is a very important factor for pricing on the black market. One customer record from an online store may generate a penny, while a thousand records can easily generate at least $10, or much more, depending on the records’ quality and completeness. For example spammers prefer to purchase e-mails from Internet retailers, simply because they will get a higher click-through rate, generating more revenue, as they can send targeted spam (by country, age, wealth, area of interests, etc.)
Hackers are also interested in the valuable information on shoppers’ computers, so e-commerce web sites are often infected with malware (an exploit pack targeting and exploiting vulnerabilities in Adobe products or popular browsers). Such attacks often remain unnoticed as they are conducted overnight or at weekends when security team is away. Experienced hackers can go undetected over a long period. For example, French computer hardware retailer LaCie disclosed in April 2014 that its web site had been breached by a malware attack that went undetected for a year. Following the breach, the retailer recommended that buyers check their credit card statements for any fraudulent charges, and keep an eye on their credit reports in case of identity theft.
The big-name breaches that hit headlines leave many small and midsized e-business owners believing that they will not be attacked, assuming their customer databases are not big enough. This assumption is wrong because in the majority of cases hackers are not looking for customers and data from a specific web shop, they are just looking for commercially exploitable data. The more, the better. It’s much easier, faster and cheaper to hack 50 small e-boutiques than hacking one big one. Moreover, the outcome in terms of number of stolen customer records will be almost the same, probably even bigger. Imagine how much it costs to compromise Amazon.
Large e-commerce retailers also have much more administrative, financial and legal resources to organize forensics and post-incident investigation, so many hackers try to avoid them. Instead, they often target small retailers that have no capability to fight back.
As only a small number of Black Hats have the necessary skills, time and resources to launch attacks against the biggest players in the e-commerce industry, hackers prefer to compromise a dozen small and medium online shops per day and get their money on the “every little bit helps” principle. Hacker groups use robots, hidden behind proxies, to crawl the Web in the 24/7/365 mode. They look for known vulnerabilities, outdated versions of web application software or just brute force default or weak passwords. One would be surprised how much information can be just found in Google. And if you have a crawling farm you can compromise thousands of web sites per hour.
Against this hacker onslaught, online retailers of all sizes need to employ an arsenal that is as flexible and up to date as the hackers’ tools. Retailers need to ensure that their hosting providers or data centers have stringent security procedures, that content management systems are up to date, third-party code is checked thoroughly before use and web sites are regularly audited for weaknesses through a combination of vulnerability scanning and penetration testing.