The holiday season: A cybercriminal’s winter wonderland

It’s the most wonderful time of the year – for cybercriminals that is. With increased online sales, major commercial holidays like Black Friday and Cyber Monday present plenty of cyberthreats for both companies and consumers.

Aware of the uptick in traffic around the holidays, cybercriminals are waiting to strike. Last year’s Cyber Monday deals raked in nearly $8 billion, according to Adobe. The report also reveals that the weekend before Cyber Monday was the biggest weekend of the year for online shopping. In 2018, SimilarWeb reported massive jumps in web traffic during the holiday season. During October, average daily visits of the top 100 websites neared 149 million. On Thanksgiving, that number doubled with more than 297 million visits and, on Black Friday, that number reached 344 million visits.

To mitigate threats this holiday season, businesses should assess their security readiness now to protect against two vectors of attack: web-skimming and bot attacks. Here are what these attacks entail along with the best steps to take to ensure websites are protected ahead of the holiday shopping season.

Web-skimming attacks

According to Generali, 71% of Americans expect their financial and personal information to be compromised during the holiday season. They have good reason to believe it, too.

Web-skimming attacks are on the rise and occur year-round but are more active during the holidays given the larger potential number of victims. With this approach, cybercriminals exploit websites—either through the site’s own code or, more commonly, third-party Javascript libraries which are used—and inject code designed to siphon information from online payment forms, such as passwords and credit card numbers.

Because it’s only a matter of time before malicious code is detected, cybercriminals will wait to inject code during a time that yields more profit. During the holidays is that time, with more people buying items online and thus sharing more sensitive information.

Bot attacks

Malicious bot attacks are growing more common and sophisticated, according to a recent LexisNexis report. These bots navigate various parts of the webpage, scroll at an average human speed, and appear online during business hours, making it almost impossible to distinguish from an actual human. These attacks come in a variety of forms: credential stuffing attacks, inventory holding attacks, and credit card and gift card attacks.

Inventory holding attacks are particularly frustrating during the holidays. These attacks occur when automated bots add products to shopping carts without purchasing them, preventing real customers from accessing them. Alternatively, an attacker could hold inventory to sell the products elsewhere at a higher price. If this happens on Black Friday, a company’s sales could plummet. It’s also incredibly disappointing for customers looking to cross items off their holiday list.

Although these kinds of attacks are a year-round issue, gift card fraud can cause headaches for businesses both before and after the holidays. In this attack, bots randomly insert numbers into web forms to guess gift card numbers. When they guess correctly and steal a balance, actual customers might assume their gift card is invalid or become frustrated with the company when they realize they are unable to purchase items with it.

What steps can organizations take to secure a website for the holidays?

1. Regularly review your website’s code and act on alerts. – If you regularly analyze your site’s code, you’ll catch something that shouldn’t be there quicker. While regular software testing can be time-consuming and costly, it’s a necessary step in any security practice. How often you should test depends on your company’s size, the likelihood of being targeted, and compliance requirements.

Even if you’re constantly reviewing your own code, you can still miss problems in third-party code. You likely utilize third-party Javascript—like a chat widget—on your site, and you should take inventory and hold it to a high standard. Heavily vet the software integrity of every third-party vendor you add to your site, or host this code on your own domain where you can oversee and protect it.

2. Protect your site from browser-side skimming. – By regularly reviewing your site’s code and noting third-party code, you’ll spot vulnerabilities that attacks can exploit. Most WAFs secure a site’s backend against application-level attack vectors, but this protection only extends so far. Some of today’s most concerning attacks, like web-skimming, happen in the end user’s browser, where WAFs can’t reach.

First, take a zero trust approach to security. Enact controls that prevent third-party code from accessing cookies and form fields, and only whitelist code that needs access. Third-party code lends functionality to your site, but remember that it could hide dangerous backdoors.

Additionally, consider using iframes, which place third-party content like payment processing code, into isolated environments in browser windows. This separates third-party from first-party code on your website, restricting its access to the main webpage’s content. Similarly, be cautious of where you place third-party code. Although it’s nice to have a chat widget on a check-out window to support customers, consider the safety risks associated.

Finally, the only way to secure your web app from these attacks is to ensure your web app security goes beyond the edge and directly into the browser.

3. Protect against malicious bots. – With bot attacks on the rise, businesses should have a comprehensive bot mitigation strategy in place. Because these bots now intelligently mimic humans, traditional bot solutions with just anomaly-based detection aren’t entirely effective.

Anomaly-based detection inspects traffic at the origin by looking for irregular requests or patterns and comparing origins against a database of known bots, but this misses bots simulating human behavior or those originating from botnets. Modern bot solutions blend anomaly detection with a client-side, fact-based approach to collect additional signals in the browser. This approach, when combined with anomaly data, effectively blocks, monitors and serves alternative content to sophisticated bots.

More than anything, it’s essential to implement smart security strategies throughout the entire year. The holiday season sees an incredible surge in e-commerce as millions more people add their credit card numbers and sensitive information to webforms. But when it comes to preventing holiday hacking, businesses are too late to the game if they only begin thinking about security in November.

Taking a more proactive approach, combined with the tips outlined above, will mitigate vulnerabilities throughout the entire year, meaning a company will be less susceptible to an attack when the holidays arrive.