The zero-day exploitation of Microsoft Exchange Servers has been all over the news, and many users who haven’t updated the software with the latest patch are in for a potential breach. However, a zero-day attack is only one of the attack vectors cybercriminals use – and it isn’t the most frequent web security threat either.
With online shopping gathering popularity, eCommerce sites have become common targets to cybercriminals. Furthermore, by analyzing the cyber attack data from last year, you can estimate how the security threats will pan out this year and prepare your sites with security measures to mitigate risks.
Let’s take a closer look at the main security threats in 2020 and learn how to protect your site in 2021.
eCommerce Cyber Attack Trends
There’s no doubt that the global pandemic fueled the growth of eCommerce. Research shows that online shopping grew by over 30% in 2020 compared to the previous year. Furthermore, estimates show that online shopping in the US will reach 19.2% of total retail sales by 2024, compared to 14.4% in 2020.
With their growing popularity, online stores are also targeted more by cybercriminals looking to extract data, gain access to accounts, or render your site offline altogether. You should also consider that these assailants aren’t only targeting large corporations or high-traffic websites. Business websites, small online stores, and blogs are also chosen as targets because of more relaxed security measures.
However, knowing the latest trends can help you stay aware and be proactive in implementing tighter security controls. More thorough website defense methods can discourage cybercriminals from targeting and attacking your site altogether.
The Rise of Credential Stuffing in eCommerce
In essence, credential stuffing attacks mainly use compromised login information to access users’ accounts. With a successful attempt, assailants can get their hands on sensitive data such as bank details, home addresses, phone numbers, and other information. The acquired data can then be used in other cybercrimes or sold on the dark web.
Research conducted by Akamai found that from July 2018 to June 2020, there were over 62 billion credential stuffing attacks that targeted the retail, travel, and hospitality industries. Furthermore, more than 90% of these attacks targeted the retail sector alone. It’s also worth mentioning that the majority of targeted online stores were in the US.
The login credentials that cybercriminals use to launch this type of attack mainly come from data breaches, where the data-packet was either bought on the dark web or acquired first-hand by the assailants.
Here are some of the most significant data breaches from last year:
- MGM Resorts International data breach - over 142 million guest records compromised
- Marriott International data breach - 5.2 million guest records compromised
- Zoom data breach - 500,000 unique username and password combinations leaked
Since Internet users tend to reuse the login combinations on other sites, the probability of a successful account takeover is more likely to happen.
SQL Injection - The Most Popular Attack Vector of 2020
Cybercriminals use various attack vectors to target a previously identified site vulnerability. With the majority of sites and online stores using the same core structures, it makes targeting them with particular vectors quite efficient.
According to Akamai’s research, the most popular attack vectors against retail, travel, and hospitality industries were SQL Injection (SQLi) and Local File Inclusion (LFI), with 79% and 14%, respectively. Together, both of these attack vectors reached almost 93% of the total vectors used.
An SQLi attack occurs over a data input to execute predefined SQL commands; an LFI attack occurs when a site accepts file uploads without proper validation. In broad terms, both are related to the user’s input data as a vulnerability that cybercriminals can exploit.
Larger Distributed Denial of Service Attacks on eCommerce
A successful DDoS attack aims to overwhelm the site’s server with requests and traffic to disable it and take the site offline. While a DDoS attack can be used primarily to take down a site, criminals can also use this method in combination with other attack vectors. Furthermore, on top of regular websites, databases, and online stores, cybercriminals also target website hosting companies due to their extensive archive of information.
Recent trends show that DDoS attacks are becoming more sophisticated and targeting multiple vulnerabilities at once. Netscout found an increase of 2,815% from 2017 to 2020 in attacks using 15 or more attack vectors. The most commonly used angles were ones that targeted CLDAP and DNS protocols.
DDoS attacks are also getting more extensive and prolonged compared with previous years. In February last year, Amazon Web Services (AWS) reported that they mitigated the largest DDoS attack they’ve ever received, which was about 44% larger than any other attack previously blocked. While most DDoS attacks remained under 1 Tbps, the one AWS reported reached a peak volume of 2.3 Tbps.
The majority of 2020 DDoS attacks targeted the entertainment sector (39.6%), but the third most attacked sector was the online retail industry which received more than 14% of the total DDoS attacks. With the increase of online shopping’s popularity, more cybercriminals started eyeing eCommerce sites as well.
How to Protect Your Site Against Web Security Threats in 2021 and Beyond
Following the trends from last year, we know that protecting your site against the most common attacks is of utmost importance. Furthermore, these trends give us a good idea of what we’re up against and how we should approach securing our site against potential threats.
Hosting your site on your own servers puts you in charge of all security measures. However, if you use a hosting service, take inventory of the provided security methods. A study of over 35 different web hosting services found that not all hosting companies offer the same web security coverage. You can find hosts that only provide you with an SSL/TLS certificate, while some offer DDoS mitigation, security monitoring, and other cybersecurity elements. So, make sure to pick the most security-minded service or bolster up the threat mitigation with additional methods.
Still, even with the default security measures, it’s best to assess the threat level and use further means to mitigate additional risks of a potential breach or an attack. So, let’s look at how you can protect your site this year and which security measures you definitely want to have in place.
How to protect against brute force and credential stuffing attacks
The main goal for brute force and credential stuffing attacks is to access a site’s user or admin account. While a brute force attack method primarily relies on the assailant trying to guess the password, a credential stuffing attack uses a database of information previously acquired.
The most straightforward defense against these types of attacks is creating a unique and strong password. Furthermore, using a robust authentication process also mitigates the risk of a compromised account as the cybercriminals must get access to multiple pieces of information or even a physical device to complete the attack successfully. Also, consider a Public Key Infrastructure (PKI) platform that allows you to fine-tune users’ permissions, define user roles, and assign privileges to mitigate the risk of a possible data breach making the whole codebase and database vulnerable.
While a compromised user account poses a security risk to the user’s data and sensitive information, a compromised admin account can do even more damage. On top of straightforward solutions, you can further mitigate the risk by implementing a physical element to the login process, such as a token or smart card. The requirement of a physical object’s presence during login and account usage makes it near impossible for cybercriminals to gain access to accounts and unlock a computer or other hardware.
How to protect against injection attacks
Among the various injection attack vectors, SQLi is the most used option by cybercriminals. It targets the vulnerabilities and loopholes of the SQL-based code. The assailant can then insert a piece of code within the codebase that compromises data security or even gives admin-level access to the criminal.
The risk mitigation for injection attacks starts from the sanitation process of your codebase. Using parameterized statements, Object Relational Mapping (ORM) frameworks, and sanitizing user inputs are a few suggestions that lead to avoiding an SQLi attack.
Furthermore, using a multi-factor authentication process is also helpful. When using this security element together with privilege limitations, you can further mitigate risks of widespread damage in case of a successful injection attack.
How to protect against DDoS attacks
DDoS attacks cause a considerable traffic load for your servers in an attempt to render them offline and not process any other requests. However, cybercriminals can use this type of attack as a precursor to breach additional defense mechanisms that are also vulnerable during a DDoS attack.
Since DDoS attacks aim to overwhelm a server, the best defense is to use a load balancer so when an attack occurs, additional resources can be directed to the site helping it remain functional. You can also mitigate risks by choosing a website hosting service that offers scalable resources in case your site experiences more traffic. Finally, you can use a Content Delivery Network (CDN), which also helps spread your resources around, so your site is less affected by an attack.
Due to the DDoS attack’s nature to potentially cover up additional breaches, you can bolster your security further by using a Web Application Firewall (WAF). The most common attack vectors covered up by a DDoS attack are injection attacks and Cross-Site Scripting (XSS). A WAF can help protect your servers against both attack vectors, so even if a DDoS attack is successful, they still need to bypass the firewall as well.
Why It’s Important to Act Now
Website and online stores suffer from cyber attacks every day, and in this article we’ve covered some of the most used vectors by cybercriminals. By strengthening your site’s security based on last year’s cyber attack trends, you can reduce your chances of being targeted and suffering a successful breach.
You don’t have to be a cybersecurity expert to increase your site’s security either. Creating stronger passwords, using a multi-factor authenticator, keeping your codebase sanitized, using a load balancer and a CDN, and utilizing firewalls are some of the most straightforward steps towards keeping your site secure.
Start by taking inventory of your current security measures and identifying potential areas that might create a risk. You can then systematically eliminate those risks based on the most common threats and continue bolstering your defenses against even the more sophisticated attack vectors.
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.