Black Friday Ecommerce Security Threats

The end of November is the peak season for holiday shopping — Especially days like Black Friday and Cyber Monday, generally lasting the end of November into the beginning of December.

As the shopper’s online behavior changes and with online transactions being the favored option over the traditional store retail purchases. With the Black Friday & Cyber Monday promotions becoming even more blurred. A common trend of retailers is to extend promotion & sale’s pricing throughout the time period to try maximize their profits also to engage keen shoppers.

  • In fact, the total number of online sales for the 2018 holiday sale period was a record ~$7.9 billion, a nearly 20% increase from the previous year.
  • 2018 was also the first year where half of online shoppers came from mobile devices, indicating a shift in consumer behavior.

Adobe’s analytics were particularly interesting, which included a breakdown of 2018’s Cyber Monday online traffic sources.

Social media presence has become a necessity for most of the online businesses, Adobe’s data shows that strong SEO and email advertising efforts continue to dominate during this period.

Emerging Ecommerce Threats
There are a number of threats that both online shoppers and webmasters must to be aware of during this 2019 holiday season.

BOPIS Fraud

In-store card-present transactions leveraging stolen payment data have been on the decline, ever since merchants and payment processors rolled out EMV enabled payment cards and POS devices.

New consumer habits, such as buy online, pick up in-store (BOPIS), now allow customers to pick up products at a physical location after purchasing them on the retailer’s website – so these transactions become classified as card-not-present.

CNP vs CP Liability

It’s vitally important to differentiate between card-present and card-not-present transactions as they are key to determining who is liable for the fraudulent charges.
If all agreed-upon policies are followed, the liability falls on either the card issuer or the merchant:

Card-present – card issuer is liable for fraudulent charges
Card-not-present – Merchant is liable for fraudulent charges
Merchants offering BOPIS are liable for fraudulent transactions, it’s important that stringent authentication ia put into place ensuring that products purchased are handed off to only authorized users.

Unfortunately, there are still retail merchants that have little to no authentication process for in-person pickups, making them likely targets for abuse due to a lack of security controls.

EMV payment cards can have payment data stolen through shimming, allowing them to be used in card-not-present transactions. They are safe (for the most part) from being cloned and used in card-present transactions. This method — essentially allowing scammers to lift information from chip cards with an EMV microchip — can be used to gather stolen payment card data for use in a fraudulent activity like purchasing items in card-not-present transactions.

E-skimming

E-skimming is a threat to any website that accepts payment cards. It involves the execution of malicious code during specific conditions — for example, only on the checkout page. This code captures and transmits the stolen payment card data to the hacker as customers enter it in real-time.

How E-skimming Works

Much like physical skimmers, transactions proceed normally. Most users won’t notice that payment card information was being stolen during the process. This is because e-skimmers will often just use one domain and it may look very similar to legitimate domains. In addition, they will also often use cloaking techniques like not loading the e-skimmer if the victim has their browser’s developer tools open when loading the infected page.
We’ve seen a variety of different e-skimmers impacting Magento websites for years, but throughout 2019 the most common credit card stealing malware we’ve found on infected eCommerce websites were variants of this Javascript e-skimmer:

This e-skimmer can obfuscate itself by loading from fake, legitimate-looking domain names.

In one case, this credit card stealer used google-analytîcs[.]com to trick site visitors into thinking it was just a Google service loading in the background when it would actually load the Javascript e-skimmer shown above.

In fact, e-skimming threats have garnered so much attention that the FBI and US-CERT have released a warning about it for the 2019 holiday season, along with a PDF that does a good job explaining the risks to users.

Phishing

Phishing attacks continue to be a pervasive threat in 2019. Phishing campaigns can be distributed through a variety of methods, but are most commonly circulated via popular communication channels like email, SMS, and messaging applications like Facebook or Instagram.