Black Friday and Christmas are considered a blessing and a curse within the retail industry. It’s a time where retailers can expect to see a huge boom in sales as everyone makes a mad dash to take advantage of discounted prices and make sure they don’t miss anyone off their gifting list. So, of course, it’s all hands on deck for those working in the industry. However, the increase can come at a price as brand-name consumers become a prime target for cybercriminals globally.
Just last week the FBI put out a Public Service Announcement (PSA) reminding the public to be aware of the risks regarding Brand Phishing. The warning goes on to note “cybercriminals are very likely developing and selling scamming tools to trick consumers of brand-name companies into revealing personal account information to compromise accounts and bypass online security protocols, most notably two-factor authentication (2FA).”
Businesses around the world could find themselves or their customers a victim of identity theft or have their payment details stolen, which is not something you want to happen at the best of times, let alone just before the holiday season. A report from the National Cyber Security Center (NCSC) warned over 4,000 small businesses about payment portals that have been compromised within their websites. Most of these compromises were noted to be caused by vulnerabilities in the Magento open-source e-commerce platform known as the Magecart attack. The vulnerability could put a business in danger when consumers use first-party payment options within some e-commerce platforms.
A Magecart attack is where a malicious actor injects malicious code (typically JavaScript) into the payment page or checkout of a website and then skim (steal) the data submitted. Targets can either be the retailer or an entity within the supply chain that supplies code to the retailer. Regardless, if customer data is stolen both the customer and the business's reputation will be harmed.
ince over 4,000 SMEs have been identified as vulnerable and compromised, there is a chance that your payment details or Personally Identifiable Information (PII) could have been stolen, making the holiday period far more stressful than it already can be. If you are an SME business owner, you could run into issues with upholding your reputation in the unfortunate circumstance where customer data has been stolen.
As a customer there are multiple avenues you can try to mitigate risk and remain vigilant:
If it sounds too good to be true, it probably is: Despite the tempting Black Friday, Cyber Monday and Christmas deals that you’re bound to see everywhere, always abide by the good old saying that “if a deal sounds too good to be true, then it probably is.” Trust your gut. If there’s a chance the offer isn’t legitimate then do your due diligence and make sure you are extra aware of the possibility that all is not as it seems.
Utilise third-party payment processing: Another step to try to mitigate any issues as a consumer, especially if you’re shopping with SME businesses, is to ensure a third-party payment processing vendor is used. PayPal and Amazon-Pay are just a couple of examples of these third-party payment options which are less likely to be targeted in an attack like Magecart due to their strong focus on ensuring safer transactions.
Be aware of the URL: Take extra care to be vigilant about the websites you’re visiting and purchasing from. One way you can do this is by ensuring the URL is what you expect it to be. For example, if you’re shopping on Amazon UK you would expect the URL at the top of the browser to say https://www.amazon.co.uk and not something like http://www.aamaz0n.gg. One major thing to pick out in the example is the ‘s’ in ‘HTTPS' which is an indication that the page is encrypted and much harder for cybercriminals to acquire your data when you’re on a vendor’s website.
If you’re the one managing the e-commerce platform then there’s a couple of things you can do, too. Ensure that the payment system in place is as up to date as it can be and make sure regular patch management is carried out to ensure known vulnerabilities are patched. From our experience, Plugins and Frameworks are both widely forgotten about when it comes to patch management meaning they are regularly exploitable.
To sum it up, the festive season is rife with cybercriminals targeting and exploiting consumers. There will be many incredibly enticing deals out there that make it easy to forget malicious entities exist, so take extra care to remain vigilant when buying online so you can mitigate the chance of being subjected to attacks like Magecart. And, if you’re on the business side, ensure that the necessary protections we’ve listed above are followed and do your part to make your customers feel safe shopping with you.