David Warburton, Principal Threat Evangelist at F5 Networks, explains why consumers and retailers alike should be alert for the next few months
The seasonal ecommerce feeding frenzy is always big news. Hyperactive online activity and potentially compromised purchasing, promotion and sales behaviours are like a red rag to a bull for enterprising cybercriminals.
From denial of service (DoS) attacks shutting down retailers in their revenue-generating prime to ransomware campaigns extorting your hard-earned spending money, there’s a world of banana skins out there.
Formjacking is one of this years’ most notable threats and is, according to F5 Labs’ 2019 Application Protection Report, now one of the most common web attack tactics in play. It was responsible for 71% of F5 Labs-analysed, web-related data breaches in 2018.
As more web applications connect to critical components such as shopping carts, card payments, advertising and analytics, vendors become an outsized target. Code can be delivered from a wide range of sources – almost all of which are beyond the boundaries of usual enterprise security controls. Since many websites make use of the same third-party resources, attackers know that they just need to compromise a single component to skim data from a huge pool of potential victims.
Phishing is also a perennial favourite. Attackers don’t have to worry about hacking through a firewall, finding a zero-day exploit, deciphering encryption, or rappelling down an elevator shaft with a set of lockpicks in their teeth. It is far easier to trick someone to hand over their credentials. The hardest part is coming up with a convincing email pitch to get people to click on, and a fake site to land on.
Interestingly, F5 Labs suggests that phishing is no longer as seasonally specific or predictable. Last year, the F5 Security Operations Centre (SOC) reported a 50% phishing attack spike between October and January. That is changing, driven in part by social media making personal data freely available at any time. While that is another story in and of itself, phishing will invariably figure prominently for the next few months.
Consumer awareness
Judgement can go out the window when all those eye-popping discounts hit, even for the most cyber-savvy consumer. Top tips to avoid getting hoodwinked include:
• Looking out for obvious red flags. Don’t shop using search engines. Manually visit trusted websites. Always scan for wording or formatting errors that could be symptomatic of fakery.
• Surfing safely. Only shop via locations that are encrypted, as demonstrated by the ‘https’ prefix and a padlock symbol in the browser.
Don’t be lured into a false sense of security though. The F5 Labs 2019 Phishing and Fraud Report found that phishers continue to push for deceptive credibility, with as many as 71% of phishing sites using HTTPS to appear more legitimate. The most impersonated brands and services are Facebook, Microsoft Office Exchange, and Apple.
• Thinking before clicking. Phishers often send convincing emails asking for personal or financial information – something brands would not normally do. The Phishing and Fraud Report notes that phishing emails are three times more likely to have a malicious link than an attachment. Steer clear of both.
• Challenging transactions. Don’t take the bait if a website asks for third-party payment. Contact the retailer directly if you’re unsure.
The challenge for retailers
Retailers need to protect both operations and customers. The costs of slipping up are significant. IBM’s 2019 Cost of a Data Breach Report revealed that the global average, per-record cost of a retail breach is $119 (up 1,7% year-on-year).
Recommended security must-haves include:
• Anti-fraud toolkits. It is essential to have the wherewithal to determine transactional inconsistencies, such as a regular customer’s card being used on a foreign device.
• Verification tools. Multifactor authentication should be implemented on any system connecting to high-impact assets. Ideally, application-layer encryption can also supplement TLS/SSL to maintain confidentiality at the browser level. Enhanced levels of application-layer visibility and control can mitigate distributed and polymorphic injection risks.
• Protect consumers. Attackers go after the poorly protected. Tokenisation and in-app encryption can protect personal and financial details during the check-out process.
• Create an inventory of web applications. The process should encompass a thorough audit of third-party content. The process is complicated by third parties linking to other websites with a tendency for substandard security controls.
• Vulnerability scanning. CISOs increasingly recognise the importance of running external scans to get a hacker’s eye view of the situation. This becomes even more important when huge quantities of content are assembled at the last minute on the client-side.
• Monitor for code changes. Regardless of where code is hosted, it is important to stay educated – irrespective of whether new vulnerabilities are emerging. This means monitoring GitHub and AWS S3 buckets, as well as native code repositories.
• Implement web filtering solutions to prevent users from inadvertently visiting phishing sites. When a user clicks on a link, the solution blocks outbound traffic.
• Inspect encrypted traffic for malware. Traffic from malware communicating with command and control servers over encrypted tunnels is undetectable in transit without some form of decryption gateway. It is vital to decrypt internal traffic before sending it to incident detection tools for infection detection.
• Improve reporting mechanisms. Incident responses should include a streamlined and guiltless method for users to flag suspected phishing.
It is going to get noisy out there. Bargains will be had. Retail records will fall. Data will be stolen, and reputations will be dented. Distractions are everywhere. We all need to do our bit to pre-empt and snuff out cybercriminals’ inevitable seasonal buoyancy.