Cyber Experts Discuss Threats Around Online Shopping

As many prepare for the holiday season and online shopping remains top of mind, cybercriminals are dusting off their old tricks and preparing for one of the busiest times of the year. With more people shopping online than ever before, cybercriminals are now looking to target the higher traffic flows online as shoppers look for the latest holiday deals.

Fortinet’s FortiGuard Labs’ Derek Manky and Aamir Lakhani provide some insight into how shoppers and organizations can protect themselves. 

Q: How has the threat landscape grown in regard to e-commerce-related attacks? 

Derek: I think the holiday season for online shopping has definitely been a big driver to the growth of e-commerce-related attacks. For example, ever since the pandemic, people have naturally turned to online services, so the distribution of e-commerce attack attempts increased. We’ve seen this surge before, but the difference is that this surge was a big wave last year. We are actively watching how it goes this year already. We also have seen attacks that are preying on shoppers with fake advertisements and phishing.

Q: What are some growing cyberattack trends you’ve seen in the e-commerce space?

Aamir: Within the past several years, the way people are shopping online has evolved significantly. There are virtual queues for people to wait in, items running out of stock before you can make it to check out, and sometimes slower web processing due to high traffic. Attackers understand this and continue to launch attacks on shoppers attempting to exploit this reality. The most common attack trends are phishing, malware, or man-in-the-middle attacks to take over wireless or proxy servers. They’re trying to direct online activity to a specific place, intercept transactions, or trick users in some way for their benefit. Unfortunately, businesses are susceptible to having information stolen too. The online holiday shopping season is usually a hugely profitable period for retailers, but cyberattacks have the ability to turn that all around. 

Derek: Web-based malware is a common attack form during the online shopping season. Cybercriminals place links or ads on trusted websites to lead shoppers away from the secure site they are browsing. This usually comes in the form of irresistible deals showing up on their page to entice users into clicking on the link. It’s easy and efficient for them.

Q: What advice would you give shoppers leading into the online holiday shopping season?

Aamir: Pay special attention to what sites you’re visiting. In the rush and excitement of the shopping season, people tend to become less aware of their surroundings, so always double-check the validity of the site before purchasing anything. Be aware of deals that seem too good to be true. The holiday season has become an online spending extravaganza, and cybercriminals have taken notice. A popular platform for cybercriminals to take advantage of is social media, luring users into clicking advertisements that promote non-existent or counterfeit items. Others may offer vouchers, gift cards, freebies, and contests in an attempt to lure users into websites that have malware (drive-by-downloads), phishing, or payment options that give access to credit cards. I personally make sure I am buying from well-known business establishments. Go to reputable websites or e-commerce sites that you've heard of before, because those will hopefully be safer. Of course, there are plenty of reputable local businesses as well. Make sure you have good security software set up on your systems that will actively look for malware URLs, phishing URLs, and other types of malware that can get into your system. I would also recommend looking for more secure payment options. For example, some banks have begun offering things like dissolvable credit card numbers that are generated for a single transaction. Taking some refreshed cybersecurity awareness training is essential too. 

Derek: I agree, being aware of your surroundings is definitely key. There’s a false sense of security people fall into when it comes to these virtual worlds. It’s also important to make sure all devices are up to date with the necessary software patches. Accessing Public Wi-Fi via your personal or work devices tends to be a major security issue as well. Cybercriminals can leverage Rogue Access Points (APs) to hijack public Wi-Fi servers and gain access to your devices. I would advise against connecting to public servers unless connecting through a secure VPN connection. This is definitely a matter of remaining educated and aware of the potential threats and what to do to protect yourself. I agree information security awareness is key.

Q: What should enterprises do to secure their sites and protect customer data in the future? 

Derek: Outdated security is a big reason for repeated cyberattacks. We're still seeing basic misconfigurations on storage buckets and public cloud computing access systems. Some organizations need to have their systems more up-to-date to avoid attacks on vulnerabilities that already have solutions. Multi-factor authentication has also been adopted by many enterprises and is a relatively easy way to secure traffic and lock down some of the basic misconfigurations. Employees need to understand the necessity and not see it as a hindrance.

Aamir: Another trend that is, unfortunately, happening this year is grinch bots. Bots, short for software robots, are computer programs that automate human tasks on the internet. Grinch bots can be employed to scour the internet and social media, reading inventory codes and finding product pages even before items are made available for sale. Within seconds of their availability, the bots buy the products to eventually resell them for a significant upcharge. Grinch bots can be hard to defeat and can be programmed to bypass the, “I’m not a robot” captcha clicker. To ensure that customers get their hands on products before bots sell them out, organizations must prioritize and continually enhance their tools and technology to track and block common bots.

Something organizations can consider is looking outside their organization for clues. DRP services are critical for external threat surface assessments, to find and remediate security issues, and help gain contextual insights on current and imminent threats before an attack takes place. The Dark Web is a treasure trove of information and a service like this can help.

Find out more about how Fortinet's Training Advancement Agenda (TAA) and Training Institute programs—including the NSE Certification program, Academic Partner program, and Education Outreach program—are helping to solve the cyber skills gap and prepare the cybersecurity workforce of tomorrow.