4.83 million DDoS attacks took place in the first half of 2020, a 15% increase

Attackers focused on COVID-era lifelines such as healthcare, e-commerce, and educational services with complex, high-throughput attacks designed to overwhelm and quickly take them down, Netscout reveals.

DDoS attacks first half 2020

“The first half of 2020 witnessed a radical change in DDoS attack methodology to shorter, faster, harder-hitting complex multi-vector attacks that we expect to continue,” stated Richard Hummel, threat intelligence lead, Netscout.

“Adversaries increased attacks against online platforms and services crucial in an increasingly digital world, such as e-commerce, education, financial services, and healthcare. No matter the target, adversary, or tactic used, it remains imperative that defenders and security professionals remain vigilant in these challenging days to protect the critical infrastructure that connects and enables the modern world.”

Record-breaking DDoS attacks at online platforms and services

More than 929,000 DDoS attacks occurred in May, representing the single largest number of attacks ever seen in a month. 4.83 million DDoS attacks occurred in the first half of 2020, a 15% increase. However, DDoS attack frequency jumped 25% during peak pandemic lockdown months (March through June).

Bad actors focused on shorter, more complex attacks

Super-sized 15-plus vector attacks increased 2,851% since 2017, while the average attack duration dropped 51% from the same period last year. Moreover, single-vector attacks fell 43% while attack throughput increased 31%, topping out at 407 Mpps.

The increase in attack complexity and speed, coupled with the decrease in duration, gives security teams less time to defend their organizations from increasingly sophisticated attacks.

DDoS attacks first half 2020

Organizations and individuals bear the cost of cyber attacks

To determine the impact that DDoS attacks have on global Internet traffic, the Netscout ATLAS Security Engineering and Response Team (ASERT) developed the DDoS Attack Coefficient (DAC). It represents the amount of DDoS attack traffic traversing the internet in a given region or country during any one-minute period.

If no traffic can be attributed to DDoS, the amount would be zero. DAC identified top regional throughput of 877 Mpps in the Asia Pacific region, and top bandwidth of 2.8 Tbps in EMEA. DAC is important since cybercriminals don’t pay for bandwidth. It demonstrates the “DDoS tax” that every internet-connected organization and individual pays.

Tracking global cybercrime activity and the impact on the digital economy

A LexisNexis Risk Solutions report tracks global cybercrime activity from January 2020 through June 2020. The period has seen strong transaction volume growth compared to 2019 but an overall decline in global attack volume. This is likely linked to growth in genuine customer activity due to changing consumer habits.

global cybercrime activity

The period has seen strong transaction volume growth compared to 2019 but an overall decline in global attack volume. This is likely linked to growth in genuine customer activity due to changing consumer habits.

The report analyzes data from more than 22.5 billion transactions processed, a 37% growth year over year. Mobile device transactions also continue to rise, with 66% of all transactions coming from mobile devices in the first half of 2020, up from 20% in early 2015.

There’s also an uptick in transactions from new devices and new digital identities. This is attributed to many new-to-digital consumers moving online to procure goods and services that were no longer available in person or harder to access via a physical store, during the pandemic.

Attacks by region

The EMEA region saw lower overall attack rates in comparison to most other global regions from January through June 2020. This is due to a high volume of trusted login transactions across relatively mature mobile apps.

The attack patterns in EMEA were also more benign and had less volatility and fewer spikes in attack rates. However, there are some notable exceptions. Desktop transactions conducted from EMEA had a higher attack rate than the global average and automated bot attack volume grew 45% year over year.

The UK originates the highest volume of human-initiated cyberattacks in EMEA, with Germany and France second and third in the region. The UK is also the second largest contributor to global bot attacks behind the U.S.

One example of a UK banking fraud network saw more than $17 million exposed to fraud across 10 financial services organizations. This network alone consisted of 7,800 devices, 5,200 email addresses and 1,000 telephone numbers.

Decline in attack rate

The overall human-initiated attack rate fell through the first half of 2020, showing a 33% decline year over year. The breakdown by sector shows a 23% decline in financial services and a 55% decline in e-commerce attack rates.

Latin America experienced the highest attack rates of all regions globally and realized consistent growth in attack rates from March to June 2020. The attack patterns in North America and EMEA had less volatility and fewer spikes in attack rates from the six-month period observed.

Attack vector global view

Media is the only industry that recorded an overall year over year growth in human-initiated cyberattacks. There was a 3% increase solely across mobile browser transactions.

Globally, automated bots remain a key attack vector in the Digital Identity Network. Financial services organizations experienced a surge in automated bot attacks and continue to experience more bot attacks than any other industry.

Across the customer journey

New account creations see attacks at a higher rate than any other transaction type in the online customer journey. However, the largest volume of attacks targets online payments. Login transactions have seen the biggest drop in attack rate in comparison to other use cases.

Analysis across new customer touchpoints in the online journey is included in this report for the first time, providing additional context on key points of risk such as money transfers and password resets.

global cybercrime activity

During COVID-19

All industries have felt the impact of COVID-19. There are clear peaks and troughs in transaction volumes coinciding with global lockdown periods.

Financial services organizations realized a growth in new-to-digital banking users, a changing geographical footprint from previously well-traveled consumers and a reduction in the number of devices used per customer. There have also been several attacks targeting banks offering COVID-19-related loans.

E-commerce merchants have seen an increase in digital payments and several other key attack typologies that coincide with the lockdown period. These included account takeover attacks using identity spoofing and more first-party chargeback fraud.

Rebekah Moody, director of fraud and identity at LexisNexis Risk Solutions, said: “The move to digital, for both businesses and consumers, has been significant. Yet with this change comes opportunity for exploitation. Fraudsters look for easy targets: whether government support packages, new lines of credit or media companies with fewer barriers to entry.”

Overconfident about their security, businesses are falling victims to bot attacks

Many businesses are at risk from bot attacks, despite an awareness of the problem and a widely held belief that they have the problem under control, Netacea reveals.

risk bot attacks

Global businesses at risk from bot attacks

The research surveyed businesses across the travel, entertainment, e-commerce and financial services sectors. It found a high awareness of how bot attacks could negatively affect a business, with over 70% understanding the most common attacks, including credential stuffing and card cracking, and 76% stating they have been attacked by bots.

However, these same businesses revealed that around 15% of their web application resources are taken up by bots. With over half of web traffic today generated by bots, this implies that businesses are unaware of a great deal of the bot traffic on their sites.

Businesses were also wholly unaware of the marketplaces where their customers’ usernames and passwords can be bought and sold, with only 1% of respondents being familiar with them.

Entertainment sites most confident

Online entertainment sites, including gaming and streaming, were the most confident in their association of a bot attack with an incident, with over half claiming not to have been attacked in the last year.

Just over 20% of e-commerce sites claimed to not have been affected, while financial services and travel sites were the most aware of the ubiquity of attacks—fewer than 5% said that they had not been the victim of an attack.

Lack of visibility may be down to a lack of responsibility

This lack of visibility may be down to a lack of responsibility: only one in ten businesses say that bot mitigation is the responsibility of a single department or person. Almost two thirds say it is the responsibility of four or more departments, making passing the problem along—or even ignoring it completely—much more of a possibility.

“Current circumstances mean that businesses are relying on their online presence more than ever before,” said Andy Still, CTO, Netacea. “This also means more opportunities for online criminal enterprises looking to increase their profits. And while the majority of businesses are not oblivious to the problem of bot attacks, the inevitable conclusion of this research is that this awareness is not leading to action.”

“High profile attacks, such as ransomware that locks down sites completely, have dominated the headlines recently, which may have led to this complacency. Bot attacks, while more subtle, can be just as devastating to a business, as accounts are stolen and sold on, card fees become crippling, and bad decisions are made on the basis of faulty data,” cautioned Still.

The research did reveal some good news—nearly all businesses were either investing in, or planning to invest in bot management, and almost none were cutting back on this vital security measure.

Magecart Group 8 skimmed card info from 570+ online shops

Your payment card information got stolen but you don’t know how, when and where? Maybe you shopped on one of the 570 webshops compromised by the Keeper Magecart group (aka Magecart Group 8) since April 1, 2017.

Magecart Group 8

Magecart Group 8’s modus operandi and targets

The list of the online shops hit by the criminals has been released by researchers from Gemini Advisory, who managed to compile it after gaining access to the group’s dedicated attack server that hosts both the malicious payload and the exfiltrated data stolen from victim sites.

“Analysis revealed that the Keeper group includes an interconnected network of 64 attacker domains used to deliver malicious JS payloads and 73 exfiltration domains used to receive stolen payment cards data from victim domains.

Their research also revealed that:

  • Over 85% of the victim sites operated on the Magento CMS, 5% WordPress, and 4% Sophify
  • The group tried to disguise its malicious attacker domains as legitimate services (e.g., the attacker domain closetlondon[.]org attempted to imitate closetlondon.com) and tried to imitate popular website plugins and payment gateways
  • The group occasionally used public and custom obfuscation methods to make the injected information-stealing JavaScript less noticeable and detectable
  • The majority of victim e-commerce sites was hosted in the U.S., followed by the U.K., the Netherlands, France, India, etc.

“The 570 victim e-commerce sites were made up of small to medium-sized merchants and were scattered across 55 different countries,” the researchers shared.

“Victims with the top Alexa Global Ranking received anywhere from 500,000 to over one million visitors each month and were responsible for selling electronics, clothing, jewelry, custom promotional products, and liquor.”

The attackers likely targeted small and medium-sized retailers because they are less likely to have a dedicated IT security team, to implement CMS and plugin patches promptly, and to have security measures in place and attack detection capabilities.

The profitability of Magecart attacks

The researchers estimated that the group may have generated over $7 million USD from selling compromised payment cards between 2017 and today.

“With revenue likely exceeding $7 million and increased cybercriminal interest in CNP [Card Not Present] data during the COVID-19 quarantine measures across the world, this group’s market niche appears to be secure and profitable,” they noted, and said that they expect the group to continue launching increasingly sophisticated attacks against online merchants across the world.

It is unknown if the group is state-sponsored or not. While we may think of Magecart groups as “mere” cyber criminals, Sansec researchers recently tied one of them to a North Korean APT group.

For the end users – i.e., the online shoppers – it’s all the same and, unfortunately, there is little they can do to protect themselves against the threat of getting their payment card info skimmed.

Avoiding smaller sites/shops might be a good idea, and so is using browser plugins that prevent JavaScript loading from untrusted sites, but there is no 100% guarantee.

Magento 1 reaches EOL: Merchants urged to upgrade or risk breaches, falling out of PCI DSS compliance

When Adobe released security updates for Magento last week, it warned that the Magento 1.x branch is reaching end-of-life (EOL) and support (EOS) on June 30, 2020, and that those were the final security patches available for Magento Commerce 1.14 and Magento Open Source 1.

Magento 1 EOL

Unfortunately, there are still too many (over 100,000) active Magento 1.x installations. The company is urging their owners and admins to migrate to Magento 2.x or risk being hit once another critical and easily exploited vulnerability is unearthed and its existence made public.

About Magento

Magento is a very popular open-source e-commerce platform that powers many online shops, a fact that hasn’t gone unnoticed by cyber criminals.

Nearly four years ago (and possibly even earlier), cyber crooks started concentrating on breaching Magento-based shops and injecting them with scripts that quietly grabbed users’ personal and payment card data information and sent it to a server they controlled.

Since then, the tactic has been used and continues to be used by many cyber criminal groups, which have been classified by security companies as “Magecart” attackers. As they are quick to exploit newfound vulnerabilities in the Magento core and third-party extensions, hardly a day passes without news about another online shop having been compromised.

If you decide to stick with Magento 1

“If you have a store that continues to run on Magento 1 after June 30, please be aware that from that date forward you have increased responsibility for maintaining your site’s security and PCI DSS compliance,” Adobe warned.

Merchants that continue to use an unsupported Magento 1 version will have to implement compensating controls to re-certify PCI DSS compliance, such as signing up for and implementing third-party fixes and updates, continuously scanning their installations for malware, vulnerabilities and unauthorized accounts, using a web application firewall, and so on.

“General security vulnerabilities tend to increase the longer software is unsupported as hackers continue to use new technologies and techniques for exploitation. This raises the risk of attacks and security breaches over time and increases the possibility of exposing personally-identifiable customer data,” Adobe explained.

Companies risk their reputation, the trust of their customers, fines and may even lose their credit card processing ability if they fail to protect user information.

Another thing: the end of support for Magento 1 also means that some extensions merchants use will not be available anymore.

“We encourage Magento 1 merchants to download the Magento 1 extensions they plan to keep, since Magento 1 extensions will not be available in the Magento Marketplace after July 7, 2020, and will be removed from the Magento repository after August 6, 2020,” Adobe noted last week.

Magento 2 or something else?

PayPal, Visa and other payment processing companies and payment platforms have also been urging merchants to make the switch to Magento 2.
Even though Magento 2 was released five years ago and even though the migration from Magento 1 to Magento 2 can be performed by using an official Data Migration Tool the number of Magento 2 installations is still lagging (it’s currently around 37,500 installations).

As “painful” and costly as it maybe, this EOL will hopefully push many of them to finally make the switch – or make the switch to an alternative platform.

“2020 has been a tumultuous year for retailers. Merchants should not have to worry about security issues or upgrading their ecommerce platform while they are in the middle of adapting to drastically changed consumer behaviors and expectations. Amidst the list of business-critical priorities a merchant needs to focus on, worrying about what’s happening with a Magento migration or installation should not be included,” noted Jimmy Duvall, Chief Product Officer at BigCommerce.

80% of consumers trust a review platform more if it displays fake reviews

Many people are using COVID-19 quarantine to get projects done at home, meaning plenty of online shopping for tools and supplies. But do you buy blind? Research shows 97% of consumers consult product reviews before making a purchase.

fake reviews

Fake reviews are a significant threat for online review portals and product search engines given the potential for damage to consumer trust. Little is known about what review portals should do with fraudulent reviews after detecting them.

A research looks at how consumers respond to potentially fraudulent reviews and how review portals can leverage this information to design better fraud management policies.

“We find consumers have more trust in the information provided by review portals that display fraudulent reviews alongside nonfraudulent reviews, as opposed to the common practice of censoring suspected fraudulent reviews,” said Beibei Li of Carnegie Mellon University.

“The impact of fraudulent reviews on consumers’ decision-making process increases with the uncertainty in the initial evaluation of product quality.”

Fake reviews aid decision making

A study conducted by Li alongside Michael Smith, also of Carnegie Mellon University, and Uttara Ananthakrishnan of the University of Washington, says consumers do not effectively process the content of fraudulent reviews, whether it’s positive or negative. This result makes the case for incorporating fraudulent reviews and doing it in the form of a score to aid consumers’ decision making.

Fraudulent reviews occur when businesses artificially inflate ratings of their own products or artificially lower the ratings of a competitor’s product by generating fake reviews, either directly or through paid third parties.

“The growing interest in online product reviews for legitimate promotion has been accompanied by an increase in fraudulent reviews,” continued Li. “Research shows about 15%-30% of all online reviews are estimated to be fraudulent by various media and industry reports.”

Platforms don’t have a common way to handle fraudulent reviews. Some delete fraudulent reviews (Google), some publicly acknowledge censoring fake reviews (Amazon), while other portals, such as Yelp, go one step further by making the fraudulent reviews visible to the public with a notation that it is potentially fraudulent.

This study used large-scale data from Yelp to conduct experiments to measure trust and found 80% of the users in our survey agree they trust a review platform more if it displays fake review information because businesses are less likely to write fraud reviews on these platforms.

Transparency over censorship

Meanwhile, 85% of users in our survey believe they should have a choice in viewing truthful and fraudulent information and the platforms should leave the choice to consumers to decide whether they use fraudulent review information in determining the quality of a business.

The study also finds that consumers tend to trust the information provided by platforms more when the platform distinguished and displayed fraudulent reviews from nonfraudulent reviews, as compared to the more common practice of censoring suspected fraudulent reviews.

“Our results highlight the importance of transparency over censorship and may have implications for public policy. Just as there are strong incentives to fraudulently manipulate consumer beliefs pertaining to commerce, there are also strong incentives to fraudulently manipulate individual beliefs pertaining to public policy decisions,” concluded Li.

When this fraudulent activity information is made available to all consumers, platforms can effectively embed a built-in penalty for businesses that are caught writing fake reviews.

A platform may admit to users that there is fraud on its site, but that is balanced by an increase in trust from consumers who already suspected that some reviews may be fraudulent and now see that something is being done to address it.

Magecart attackers hit Claire’s, Intersport web shops

Magecart attackers have compromised web shops belonging to large retail chains Claire’s and Intersport and equipped them with payment card skimmers.

Magecart Claire's Intersport

Claire’s

The compromise of Claire’s online store and that of its sister brand Icing has been flagged by Sansec researchers.

The skimmer was served from a domain made to look like it might belong to the company (claires-assets.com), and it was added to the two online stores between April 25th and 30th.

“The malware was added to the (otherwise legitimate) app.min.js file. This file is hosted on the store servers, so there is no “Supply Chain Attack” involved, and attackers have actually gained write access to the store code,” the researchers pointed out.

“The skimmer attaches to the submit button of the checkout form. Upon clicking, the full ‘Demandware Checkout Form’ is grabbed, serialized and base64 encoded. A temporary image is added to the DOM with the __preloader identifier. The image is located on the server as controlled by the attacker. Because all of the customer submitted data is appended to the image address, the attacker now has received the full payload. Immediately, the image element is removed.”

How the attackers managed to compromise the web shops is still unknown, but they started planning the attack a month before actually executing it. In fact, they registered the malicious domain a day after Claire’s announced that they will be temporarily close all of their brick and mortar stores due to COVID-19.

Intersport

ESET researchers have pointed out the compromise of Intersport’s web store and said that the company fixed the issue within several hours of ESET letting them know.

Sansec researchers say that an initial hack happened on Apr 30th and then another one on May 14th:

Only the localized Intersport web shops serving customers from the Balkans region have been compromised.

What now?

It is still unknown how long the skimmers went unnoticed.

None of the compromised web shops sport a prominent notification about the breach and payment card info theft. Claire’s notified the payment card networks and law enforcement, and let’s hope they will contact affected customers directly once they determine the extent of the compromise and theft.

Companies should have protections in place to notice this and other types of breaches soon after they happen, but unfortunately many don’t.

If you’re paying for your purchases with payment cards – whether online or in physical stores – you should regularly check your account statements for unauthorized charges and report them quickly.

What’s trending on the underground market?

Trust has eroded among criminal interactions, causing a switch to e-commerce platforms and communication using Discord, which both increase user anonymization, Trend Micro reveals.

underground market trends

Popular underground goods and services

The report reveals that determined efforts by law enforcement appear to be having an impact on the cybercrime underground. Several forums have been taken down by global police entities, and remaining forums experience persistent DDoS attacks and log-in problems impacting their usefulness.

Loss of trust led to the creation of a new site, called DarkNet Trust, which was created to verify vendors’ and increase user anonymity. Other underground markets have launched new security measures, such as direct buyer-to-vendor payments, multi-signatures for cryptocurrency transactions, encrypted messaging, and a ban on JavaScript.

Trends for cybercrime products and services

The report also illustrates the changing market trends for cybercrime products and services since 2015. Commoditization has driven prices down for many items. For example, crypting services fell from $1,000 to just $20 per month, while the price of generic botnets dropped from $200 to $5 per day.

Pricing for other items, including ransomware, Remote Access Trojans (RATs), online account credentials and spam services, remained stable, which indicates continued demand.

However, there has been a high demand for other services, such as IoT botnets, with new undetected malware variants selling for as much as $5,000. Also popular are fake news and cyber-propaganda services, with voter databases selling for hundreds of dollars, and gaming accounts for games like Fortnite can fetch around $1,000 on average.

Other underground market trends

Other notable findings include the emergence of markets for:

  • Deepfake services for sextortion or to bypass photo verification requirements on some sites.
  • AI-based gambling bots designed to predict dice roll patterns and crack complex Roblox CAPTCHA.
  • Access-as-a-Service to hacked devices and corporate networks. Prices for Fortune 500 companies can reach up to US$10,000 and some services include access with read and write privileges.
  • Wearable device accounts where access could enable cybercriminals to run warranty scams by requesting replacement devices.

Underground market trends will likely shift further in the months following the global COVID-19 pandemic, as attack opportunities continue to evolve. To protect against the ever-changing threat landscape, it is recommended to implement a multi-layered defense approach to protect against the latest threats and mitigate corporate security risk.

Pandemic driving global e-commerce growth, but fraud is on the increase too

The COVID-19 crisis is driving the global growth of e-commerce sales, with millions of consumers worldwide in quarantine shopping for goods, services and entertainment online.

e-commerce increased fraud

Transaction volumes in most retail sectors have seen a 74 percent rise in March compared to the same period last year, while online gaming has seen a staggering increase of 97 percent, according to analysis by ACI Worldwide of hundreds of millions of transactions from global online retailers.

“During these unprecedented and uncertain times with millions now at home, many consumers are going online to purchase products or services,” said Debbie Guerra, executive vice president, ACI Worldwide.

“Quarantine has changed lives for all of us, with consumers buying electronics and furniture—to support work, communication, school and entertainment—as well as items such as home goods and DIY products.”

However, fraud is on the increase too, the research shows, as fraudsters are using the surge in online activity to target unsuspecting consumers and merchants.

Merchants are starting to experience dramatic increases in COVID-19-related phishing activities, with stolen credentials released into the e-commerce payments chain, as well as increased friendly fraud activities.

“Fraudulent attempts are on the rise, and consumers must be vigilant as fraudsters are using the current situation to obtain and use their financial data and information,” continued Guerra.

Key findings

Online retailer sectors with rising transaction volumes in March 2020 compared to the previous year include:

  • Home products and furnishings: +97 percent, DIY products: +136 percent, Garden essentials: +163 percent, Electronics: +26.6 percent, Telco: +18.6 percent

Online retail sectors with declining transaction volumes in the same period:

  • Ticketing: -60 percent, Travel: -44 percent, Online dating: -8.9 percent

Fraud trends

  • Average fraudulent attempted purchase value increased by $36 in March, driven by electronic and retail goods; this corresponds to a fraudulent attempted transactional value increase by 13 percent.
  • Fraudulent attempted transactional volume decreased by 8 percent, driven by increase of fraudulent attempt purchase value.

“Long term, we and others in the industry predict that the shift in consumer behavior—opting for online purchases—is likely to outlast the crisis,” concluded Guerra.

“The industry is well ahead of the curve in adapting payment methods and ways to combat fraud in response to the changing behaviors and expectations of consumers, which are now being expedited by the lockdown.”

Tips for consumers to protect identity and personal information

  • Beware of online requests for personal information. Coronavirus-themed emails seeking personal information are likely to be phishing scams. Legitimate government agencies won’t ask for that information. Delete the email.
  • Check the email address or link. Inspect a link by hovering the mouse button over the URL to see where it leads. Sometimes, it’s obvious the web address is not legitimate. But keep in mind phishers can create links that closely resemble legitimate addresses. Delete the email.
  • Watch for spelling and grammatical mistakes. If an email includes spelling, punctuation and grammar errors, it’s likely a sign of a phishing email. Delete the email.
  • Look for generic greetings. Phishing emails are unlikely to use a person’s name. Greetings like “Dear sir or madam” often signal an email is not legitimate.
  • Avoid emails that insist acting now. Phishing emails often try to create a sense of urgency or demand immediate action. Delete the email.

Tips for merchants to maintain security and deliver to customers

Maintain security and deliver a great customer experience, as consumer purchasing behavior—both genuine and fraudulent—has changed.

  • For example: Express shipment and Buy-Online Pickup In-Store delivery methods in the last two weeks have tripled, making transaction decision speed and accuracy critical.
  • Use customer profiling and time-on-file techniques to maintain the customer experience for valued customers and ensure good transactions are still accepted.

Expect an increase in friendly fraud chargebacks as a result of growing financial difficulties among consumers. Friendly fraud occurs when a cardholder receives goods, but denies making a purchase, or a family member makes a purchase without cardholder approval.

  • Monitor systems and update as necessary. Business intelligence tools and real-time monitoring lead to immediate decisions and responses. Employ rapid access to fraud intelligence to inform rules changes in real time.
  • Engage frequently with web and mobile site security management. Give these teams the tools, techniques and procedures to detect, contain and mitigate botnets. And considering the presence of both good and bad bots, put business policies in place to address this issue with clarity for both teams.

Online payment fraud attempts see 73% increase

Online payment fraud attempts increased by 73 percent in 2019, according to a report from Sift.

Additional findings in the report reveal that cybercriminals are using mobile devices more than desktops or laptops to commit payment fraud. In fact, though Windows is the top single operating system for fraudsters, iOS and Android combine to make up more than half of attempted fraudulent transactions.

online payment fraud attempts

And while, unsurprisingly, the number one most targeted industry vertical in 2019 was physical e-commerce, business services, digital e-commerce, education, and on-demand services all fell within the top ten fraudiest verticals.

New ways to pay, new ways to steal

The most common payment type associated with fraud? Not credit cards. In fact, credit cards were beaten out by promotions/coupons, cryptocurrency, digital wallets, and even “pay with cash” options that are popular with some on-demand services.

Fraudsters swing for the fences

Rather than trying to avoid detection with smaller purchases, fraudsters look for larger scores, with fraudulent order values reaching three times the price of legitimate purchases on average.

Trying to game the system

The largest attempted purchase on Sift’s platform in 2019 was for a video game power-up sold on an online marketplace. The attempted payment was $1 million, and though obviously fraudulent, demonstrates some of the new methods bad actors are employing in order to steal from businesses.

online payment fraud attempts

Summer is the holiday shopping season for fraudsters

Fraudsters don’t wait until the winter holidays to kick their scams into high gear. Rather, payment fraud attempts peak during the summer months.

Working on the weekend

Saturdays had the highest instances of payment fraud attempts of any day of the week.

Magento patches critical code execution vulnerabilities, upgrade ASAP!

Adobe-owned Magento has plugged multiple critical vulnerabilities in its eponymous content management system, the most severe of which could be exploited by attackers to achieve arbitrary code execution.

Magento critical vulnerabilities

About the fixed vulnerabilities

According to the newest Magento-themed security bulletin (now published as an Adobe security bulletin), three of the six fixed flaws are critical and three are important.

In the “critical” category are a deserialization of untrusted data (CVE-2020-3716) and a security bypass (CVE-2020-3718) that could lead to arbitrary code execution, and an SQL injection (CVE-2020-3719) that could be exploited to leak sensitive information.

In the “important” category are two stored cross-site scripting flaws (CVE-2020-3715, CVE-2020-3758) and a path traversal (CVE-2020-3717) vulnerability, all of which could lead to sensitive information disclosure.

All of these have been patched in:

  • Magento Commerce versions 2.3.4 and 2.2.11
  • Magento Open Source versions 2.3.4 and 2.2.11
  • Magento Enterprise Edition (EE) version 1.14.4.4
  • Magento Community Edition (CE) version 1.9.4.4

At the moment, there is no indication that any of these might be actively exploited by attackers. Nevertheless, users/admins are advised to update their installations as soon as possible.

Magento shops are a major target

Magento is one of the most popular open-source e-commerce platforms out there, but web stores running it have unfortunately become a prime – though not exclusive – target for card-skimming cybercriminals (aka Magecart attackers).

Vulnerabilities in the Magento core are just one vector through which attackers can gain access to online shops to insert card-skimming code into them. Other avenues of attack include bugs in popular extensions and plug-ins, phishing emails lobbed at site admins, and compromise of third parties that serve scripts on the target site(s).

Nearly half of consumers worry about being tricked by fraudsters this holiday season

There has been a 29% increase in suspected online retail fraud during the start of the 2019 holiday shopping season compared to the same period in 2018, and a 60% increase in suspected e-commerce fraud during the same period from 2017 to 2019, according to iovation.

online retail fraud increase

The findings are based on the online retail transactions analyzed for its e-commerce customers between Thanksgiving and Cyber Monday over the last three years.

“Among the conclusions from TransUnion’s 2019 Holiday Retail Fraud Survey: nearly half of all consumers, 46%, are concerned with being victimized by fraudsters this holiday season with baby boomers being the most concerned of any generation at 54%,” said TransUnion Senior VP of Business Planning and Development, Greg Pierson.

Additional findings: Online retail fraud increase

The percent of suspected fraudulent e-commerce transactions during the start of the holiday shopping season and entire year compared to legitimate transactions for the past three years.

  • 15% from Nov. 28 to Dec. 2, 2019. 10% so far in 2019.
  • 13% from Nov. 22 to Nov. 26, 2018. 11% all of 2018.
  • 11% from Nov. 23 to Nov. 27, 2017. 7% all of 2017.

The top days during the start of the 2019 holiday shopping season for legitimate and suspected fraudulent online retail transactions.

  • Thanksgiving, Nov. 28: 16% of legitimate holiday weekend transactions (#5). 17% of suspected fraudulent holiday weekend transactions (#4-tie).
  • Black Friday, Nov. 29: 26% of legitimate holiday weekend transactions (#1). 25% of suspected fraudulent holiday weekend transactions (#1).
  • Saturday, Nov. 30: 19% of legitimate holiday weekend transactions (#3). 19% of suspected fraudulent holiday weekend transactions (#3).
  • Sunday, Dec. 1: 17% of legitimate holiday weekend transactions (#4). 17% of suspected fraudulent holiday weekend transactions (#4-tie).
  • Cyber Monday, Dec. 2: 22% of legitimate holiday weekend transactions (#2). 21% of suspected fraudulent holiday weekend transactions (#2).

The countries and U.S. cities where the highest percentage of suspected fraudulent e-commerce transactions originated from during the start of the 2019 holiday shopping season.

Country

  • China: 57%
  • Central African Republic: 57%
  • Lebanon: 45%

U.S. city

  • Boardman, Oregon: 70%
  • Pineville, Louisiana: 42%
  • Alexandria, Louisiana: 38%

online retail fraud increase

Mobile transaction and fraud trends

The survey also found that consumers used a mobile phone or tablet for 63% of their online retail transactions during the start of the 2019 holiday shopping season. That is up from 58% for the same period in 2018 and 56% for the same period in 2017.

For the holiday shopping weekend, retail transactions from a mobile phone compared to all e-commerce transactions were:

  • 64% on Thanksgiving, Nov. 28
  • 63% on Black Friday, Nov. 29
  • 67% on Saturday, Nov. 30
  • 66% on Sunday, Dec. 1
  • 57% on Cyber Monday, Dec. 2

“Year after year it becomes clear that when not at work, consumers increasingly prefer using their mobile devices to make retail purchases due to their convenience,” said iovation’s Senior Director of Customer Success, Melissa Gaddis. “Once at work when they’re at their desk, consumers turn to their desktop and laptop computers to make purchases.”

Always trying to emulate the purchasing patterns of trusted consumers, mobile is also the preferred method for fraudulent online retail transactions. A mobile phone or tablet appeared to be used for 63% of all suspected fraudulent e-commerce transactions during the long holiday shopping weekend compared to 59% from the same period in 2018 and 51% from the same period in 2017.

As the online shopping season begins, consumers worry about cybercrime

A majority of U.S. consumers plan to do most of their holiday shopping online for the first time ever, yet a survey from F-Secure finds that most internet users remain concerned about their exposure to cybercrime. Major consumer trends The survey of shoppers highlighted 3 major trends among American consumers: Bank account hacking and data breaches are the biggest worries on the web. 62% are either worried or extremely worried about a hacker taking over … More

The post As the online shopping season begins, consumers worry about cybercrime appeared first on Help Net Security.

Cybercriminals targeting e-commerce website vulnerabilities this holiday season

Expect unprecedented levels of online data theft this holiday season due to a lack of deployed client-side security measures.

data theft holiday season

Disturbing lack of security measures

Tala Security highlights the widespread vulnerability resulting from integrations that enable and enhance website functionality. These integrations, which exist on nearly every modern website operating today, allow attackers to target PII and payment information.

98% of the Alexa 1000 websites were found to be lacking security measures capable of preventing attacks. In related warnings, both the FBI and the PCI Council cautioned that hackers are targeting online credit card information.

“Online merchants and website owners must recognize the critical need for client-side security. The fundamental driver of online commerce — consumer trust — is at stake as attackers target widespread client-side vulnerabilities to steal credentials, credit card numbers, financial data and other PII,” said Aanand Krishnan, CEO and co-founder of Tala Security.

data theft holiday season

Key findings from the survey

  • Only 2% of Alexa 1000 sites have implemented effective controls to prevent personal, financial and credential theft.
  • User form data sent, captured on forms available on 98% of websites, is exposed to 10 times more domains than intended by the website owner. This creates a massive opportunity for data theft from attackers.
  • The average website relies on 31 third-party integrations, which provide nearly two-thirds of the content customers view on their browsers. This content is delivered via client-side connections that lack effective security controls.
  • Most consumers will be surprised to learn that only one-third of the content rendering on their browser is owned, created and served by the owner of the website. The remaining two-thirds is served via client-side connections that lack effective security.
  • Although 27% of website owners attempt to deploy security measures, only 2% succeed in deploying effective policies capable of preventing client-side attacks.