The season for Black Friday and Christmas shopping is upon us and this year it’s predicted there will be record numbers of online shoppers looking for a bargain. Huge surplus stock means there are big discounts available.
There are sales value predictions from analysts wherever you look but generally they say the same thing; Black Friday will be bumper and will generate $10 billion in online sales. Cyber Monday will be the biggest online shopping day of the year with takings of $12.7 billion, a 35% jump year on year.
Extraordinary numbers you have to agree but unsurprising given every retailer will be desperate to make those predictions a reality and claw back the billions lost in sales this year. And with varied restrictions around the country, and lockdowns coming and going, it’s
no wonder there will be a boom – people just aren’t out shopping nor have the patience for a socially distanced scrum.
It’s not just e-commerce that will need to take the weight of bargain hunters. Royal Mail announced parcels will outstrip letter delivery for the first time this year. One delivery network even suggested lockdown Black Friday should be ‘halted in its tracks’ to avoid network collapse, with expectations there will be a record 592 million parcels hitting the system before Christmas.
It’s hard to believe how different life is in just a few months. At the start of the year these sorts of numbers weren’t on the cards. Yet here we are. The world of retail has adapted, to a scale that many retailers didn’t have down on the business plan.
In fact, in March, many had to bring forward long-range plans to move to the cloud by years. It was the only way to scale and mobilize digital operations, get contactless payments in place, introduce click and collect, provide alternative customer service options, and get more varied delivery options live.
Golden Quarter could be very dark
There was however a downside to the acceleration and that was the fact that hackers had a field day. Companies reported a 40% increase in cyber-attacks during the lockdowns at the start of the year. That’s because moving to the cloud and adding new applications to drive new operating models resulted in a bigger attack surface. There were more routes into the network that attackers could exploit and there was more data to steal.
With this backdrop, and looking back at previous attack patterns on Black Fridays, it’s likely that this Golden Quarter for retail could be very dark if measures to defend against attacks aren’t put in place.
Among the most likely type of attacks we’ll see over Christmas are account takeovers (ATO) using a method called ‘credential stuffing’ whereby automated bots, also known as Grinch Bots, are used to carry out cross checks on stolen customer data and login information against that held by e-commerce sites. If the bots find a match, then hackers can login to steal and use credit card information, gift cards and hard earned loyalty points, or sell the verified data on the dark web.
The abundance in phishing scams over the pandemic have provided hackers with plenty of personal information to play with. It’s for this reason, I predict we’ll see a 1000-fold increase in the use of ‘Grinch bots’ this holiday season, compared to the 400-fold increase we saw last year.
It’s not the only activity we’ll see though. There are six more threat types retailers should be ready for:
Threat types
Data breaches: e-commerce operations require personal and sensitive data to operate, including mailing addresses, email addresses, phone numbers, payment details stored for convenient checkout, etc. Hackers will target this data for extortion or sell account lists on underground forums so they can be used for ATO attacks.
Service degradation and disruption: can be the result of aggressive ATO campaigns but also targeted distributed denial of service (DDoS) attacks. Malicious actors can get hold of a hacker working as a ‘DDoS for hire’ or for as little as $10 per month subscribe to one of the illegal booter and stresser cloud services to unleash enough force to make a website unresponsive or take it down completely.
Carding: an automated form of payment fraud in which lists of credit/debit card data is tested against a merchant’s payment processing system to verify the stolen card details so they can be used to illegally purchase goods or cash out the cards or sold on the dark web.
Price scraping: the process of using bots for illegal competitive price monitoring. Competitors employ this strategy to copy dynamic pricing information so they can attract price-sensitive buyers by setting their prices lower than baseline prices in the marketplace. While pricing information is generally available to consumers, price scrapers undercut competitor pricing. Unusual traffic volumes are a sign this is happening.
Cart abandonment: this happens when bots are used by competitors and fraudsters to add items to shopping carts on ecommerce sites, but instead of buying them, are left unpurchased as the stock is tied up and can’t be sold to legitimate customers.
Supply chain attacks: this is where a third-party service, such as outsourced payment processing or online advertisement services, are breached and then used to inject malicious JavaScript code into a target ecommerce sites and steal customer data. Using third parties in this way is lucrative as they often have contracts with many ecommerce sites, so hackers can exploit many companies in one go
It’s a long list and the tactics vary according to the spoils hackers want to walk away with. However, it is a realistic list. All of these attacks have happened throughout the pandemic at a high rate, and they will continue today, especially now hackers have a taste for success.
Black Friday provides a fertile hunting ground. The hard work of phishing during the year has been done. The ammunition is in place – hackers don’t need to work hard to line themselves up for a mega pay day.
Staying ahead
Retailers have to assume that as millions flock online to grab a bargain, hackers will swoop in and catch consumers and retailers off guard.
It’s therefore imperative to review the technology that’s been adopted this year and look for vulnerabilities in the applications and patch them. A number of CISOs admitted that they relied on their service provider for security but this misplaced trust had been their downfall. The measures weren’t enough, they were breached.
It’s a lesson that good enough isn’t enough. It’s essential to put in place your own measures too, and in particular ways to continuously monitor for signs of attack. For example, unusual log-in traffic patterns would be a clue that credential stuffing is happening. But you can’t have a person glued to these metrics every minute of every day. It’s not a good use of human capital.
So, what’s the answer? In terms of technology, bots work much faster than the human brain so automation, use of big data and crowdsourced intel are the only way to stay ahead of the bad bots that will be deployed at scale. In short automated systems and processes that can detect anomalies and react in real-time accordingly. Without such methods in place, retailers risk not just a breach, but reputational fall out. At a time when so much is at stake, anything that erodes trust and damages your brand has to be avoided at all costs.
Retailers have a chance to make this the Golden Quarter they planned for at the start of the year. But hackers also know they can engineer a bumper pay out if they get their tactics right. The trick for retailers will be to defend to the hilt and come out on top.
Pascal Geenens, director of threat intelligence, Radware