Any property must be protected. Especially if it's expensive. Your e-commerce site contains corporate information as well as user data. Therefore, it requires the mandatory implementation of cybersecurity measures.
In this article we will tell you exactly what to pay attention to, in order to keep your resource, small business, and company safe.
What kind of attacks might a website face?
Many of the scammers' tricks seem familiar. In the age of technology, talking about threats on the Internet is not out of the ordinary. However, we don't know much about them. There are multiple types of cyber scams such as phishing, malicious bots, MySQL injection and today we are going to discuss all of them.
You can spot phishing attacks, when cybercriminals try to get administrative access such as user name and passwords. By different kinds of methods some are easy to spot and some are more sophisticated. Therefore, don't ignore them and here is what to look out for.
In 2019, 65% of companies in the United States were successfully phished. Phishing is mass emailing. The goal is for the user to follow a link that contains a virus.
The visitor is directed to a site that visually resembles an authoritative resource. For example, it can be a page similar to your bank's Internet banking, where you, without suspecting anything, enter your profile data. Thus, fraudsters will reveal your personal information and can use it for their own purposes.
It might look like this:
Hello,Dear customer, your personal account may be blocked if you do not follow the link immediately and do not follow all the steps suggested in the instructions.
Regards, (Company Name)
Phishing can look like this:
- Modified urls. These are URLs that visually duplicate the name of the actual company URLs, but may miss one letter. Therefore, be careful and make sure that it is authentic before following the link.
- Fake phone calls or emails. Fraudsters can call or write on behalf of a company representative and demand the provision of personal information. Never share this information with anyone until you are sure you are not dealing with scammers;
- Malware embedded in an email or a link. This is one of the most common hacks. Do not follow dubious links and use only certified programs to avoid intruders' tricks;
- fake order pages. Scammers can fake the order page in the store and get your personal data;
- Suspension of PayPal accounts. This is the method through which criminals try to take over your accounts and use your money for their own purposes. Often they send letters from fake email boxes and try in every possible way to find out information about your accounts and other data that allow you to spend your money. If the letter seemed suspicious to you, do not reply to it and contact the real representatives of the company.
A phishing attack can cost up to $1.6 million for a medium-sized company. Therefore, it is important not only to know about it but to protect your business. We have collected some information that will be useful for this.
What to look out for
- Attacks become more sophisticated. In the first quarter of 2020, scammers have become less likely to try to obtain passwords and usernames. Keyloggers are used instead of it (programs that register user actions, namely keystrokes on the keyboard, movements and keystrokes of the mouse, etc.). These attacks are harder to stop. Primarily because they don't look suspicious. One of the common tactics has become the compromise of corporate email. The email address can be visually very helpful to the real one, however one or more letters will differ. For example, the real address is firstname.lastname@example.org, and attackers will use this option email@example.com. Such a trick is difficult to spot right away, which is why it is popular among scammers.
- The best defense is human intelligence. No technology can replace knowledgeable employees. In 2018, a large medical company was targeted by a phishing attack. However, reports from people about receiving suspicious letters allowed the security center to react quickly. The attack was stopped in 19 minutes.
- Don't rely on HTTPS. SSL no longer guarantees security. It is a protocol that is designed to provide a secure connection. Over the years, people have learned to distinguish between HTTP and HTTPS, going only to sites with the appropriate certificate. However, today the encryption protocol is also used by fraudsters. By the end of 2019, 74% of phishing sites had TLS, or SSL.
- One of the popular tactics is sextortion. It differs in that a person's emotions are used to stimulate the sending of the ransom. For example, fear or panic. Cofense discovered a sextor botnet. In June 2019, it had 200 million email addresses. Soon, their number increased by 330 million. Therefore, it is important to work on people's awareness. If you want to protect your business, be sure to pay attention to informing and training employees. In this case, the sextortion will not work.Often cashback bonus services offer incredibly high payouts. This should alert the user.
- Who are the main targets of phishing attacks? This is important information. Every company has to take care of cybersecurity. However, if the business belongs to the “appetizing” category for fraudsters, then security measures must be implemented as a matter of priority. Most often phishing attacks.
- Companies using SaaS (33,5%)
- Financial companies (19.4%);
- Users of payment services (13.3%);
- Social networks (8.3%);
- E-commerce (6,2%).
They are one of the relatively new attack methods. And this is the main basis for researching their work. Such bots are self-propagating and are created to perform certain actions/tasks. They crawl (browse) the site first. In the process, security vulnerabilities are found. Then one of two things: the information is sent to the bot-master, or is used to perform a specific action.
Thus, the security of your site may be at risk. By resorting to such attacks, cybercriminals most often pursue commercial goals. They can steal your customer base and sell to competitors, or blackmail you for a lump sum in return for nondisclosure.
There are many such attacks and there is no single solution to prevent or resolve them. Therefore, it is advisable to have a separate technical specialist on staff who will be involved in protecting your site. In the event of an attack, he will be able to quickly respond to malicious activity and minimize the damage from this.
Fraudsters' attacks on websites and programs via MySQL injection
E-commerce sites must pay attention to protecting against this threat. The essence of this attack is getting access to the database. Fraudsters detect loopholes in the back-end of the site or web applications and run malicious code. The latter is included in the request. After doing this, the fraudster gains not only access but also control over the target's database.
Most often, penetration is carried out in one of three ways:
- Errors in the e-commerce website;
- Security vulnerabilities in user code;
- Bugs in third-party modules.
For reliable protection against this type of attack, you must carefully monitor the SQL server. This will help you to spot mistakes in time.
How to protect your e-commerce site? 5 recommendations
- Make the resource PCI compliant. It is important to be absolutely sure of this. This measure is not a complete guarantee of the site's security, but it can stop a large number of fraudsters.
- Create a secure connection. Use VPN for work in public places and for remote work. This will help to prevent information leakage and protect you from the malicious intent of intruders. VPN is software that allows you to make IP dynamic. Thus, the use of the Internet becomes safe.
- Install Web Application Firewall. It is a cloud service that sits between the site server and the data connection. Becomes the gateway through which incoming traffic passes. This allows WAF to track unwanted traffic and block hacking attempts.
- Continuous learning. It is important to stay updated on the news. Hacker attacks are becoming more sophisticated. Therefore, knowledge that will help protect yourself today may not be enough in six months. Check back regularly for updates on specialized resources. Also pay attention to the releases of fresh versions of the software used by the site. Follow and update. The developers themselves look for security vulnerabilities and fix them in the latest versions.
- Ensure the safety of the administrative pages. Adding them to your robots_txt file will prevent search engines from indexing them. This is a file that makes it clear to search robots which pages / files on your site can be processed and which cannot.
- Limit access to features. Give access to employees only if they really need it for work. Remember that the more access you open, the more vulnerable your system will become.