How to Protect Your E-Commerce Store from Criminals

Contributed content / By Graeme Caldwell / 23 July 2019

Even the most sophisticated e-commerce stores are vulnerable to cybercrime. As online criminals and their methods become more sophisticated, businesses must secure their e-commerce stores or risk data breaches or worse.

Online crime is a lucrative industry, and e-commerce stores are one of the most profitable targets. A compromised Magento or WooCommerce store is a treasure trove of data such as credit card details, which can be stolen with a few lines of JavaScript once an attacker gains access to the store. 

But how do criminals get access to e-commerce stores in the first place?

To do anything useful with an online store, attackers must be able to run code, either remotely or by infecting the store with malicious software. 

To do that, hackers need access to the store. Gaining access requires the ability to tell the store or one of its components to carry out their commands, to save a file in just the right place, to make a network call to a server they control, or to serve malware to the store’s customers.

There are many techniques available to hackers to achieve the access they need, but the majority of compromised sites are breached by attacks that fall into one of these categories. 

To protect your store, you need to understand how it is vulnerable and what you can do to mitigate the risk.

Update to Fix Software Vulnerabilities

An e-commerce application is a complex piece of software that relies on many other complex pieces of software, from extensions to the database to the operating system’s kernel.

Hackers can exploit programming mistakes in any of the components that are exposed to the web to gain access. Updating your store can prevent hackers from accessing these vulnerabilities.

Late last year, for example, a critical vulnerability was discovered in Ultimate Member, a WordPress plugin many WooCommerce stores used. This type of vulnerability – an unauthenticated arbitrary file upload – allowed anyone to upload a file by making a specially crafted request over the web. 

The attackers uploaded a file with code embedded in it, executed that code, and installed a backdoor into the site. 

Other types of software vulnerability can be used to carry out attacks on a store, including SQL injection attacks, cross-site scripting attacks that steal credentials, and remote code execution attacks.

Developers fix vulnerabilities quickly after discovery, but your store doesn’t get the fixes unless you update. Out-of-date stores with known vulnerabilities are a significant cause of breaches.

Take Care When Installing Third-Party Software

Every e-commerce store depends on third-party software, whether it’s plugins, databases, JavaScript libraries, or utility programs.

This software is installed from the servers of trusted vendors, CDNs, or developers, often without ever being inspected. If an attacker can compromise one of these software extensions, they can compromise hundreds or thousands of downstream users.

Compromising stores via extension requires less time and effort on the part of the attacker. They could compromise one server and inject malicious software into an extension, which would then be installed on a thousand stores.

Supply chain attacks have become more popular over the past couple of years. According to TrendMicro, many MageCart victims were compromised via attacks against third-party vendors, including advertising scripts and extensions.

E-commerce store owners can prevent such attacks by following the below steps.

Train Employees to Recognize Phishing Attacks

Phishing attacks are a type of cyberattack in which a trusted user is manipulated into giving sensitive information to a criminal. 

Basic phishing attacks use fake emails to influence an employee to click on a link or run a program that installs malware. They may also try to influence the victim to enter usernames and passwords into a fake website under the attacker’s control.

fake amazon prime phishing email

This email shows a fraudulent email claiming to be from Amazon Prime. The email body contains typos (misspelling Amazon as AMAZ0N), and comes from an email address other than @amazon.com.

A targeted phishing attack — also known as spear phishing — uses personal information such as first names, company names, or email addresses in an attempt to earn a user’s trust. Spear phishing might look like this. 

gmail spear phishing email example

In the example above, a criminal claiming to be from Google sends an email to an employee at a company. At first glance, the email appears to be from a Gmail bot asking the employee to confirm account ownership by clicking on a fraudulent link. 

The employee, afraid of angering his or her manager, sends the password. Just like that, the criminal has access to the store.

Phishing attacks, particularly highly targeted spear-phishing attacks, are devastating and effective. Employees have handed over authentication credentials, sensitive data, and millions of dollars as a result of phishing attacks. 

The best way to protect your store is to train employees to recognize potential phishing attacks and understand the risk of clicking links in emails from unknown senders. Encourage employees to question their managers when they get unusual instructions over email or social media. 

Protect Against Brute Force, Dictionary, or Credential Stuffing Attacks

Brute force, dictionary, or credential stuffing attacks are sophisticated guessing games in which the attacker tries to guess a username and password that will grant them access to a system. 

In a brute force attack, the attacker enters random combinations of characters until they find one that works. 

Brute force attacks take a long time, however, leading criminals to prefer dictionary attacks, which use large dictionaries of passwords harvested from leaked password databases.

Credential stuffing attacks also take advantage of stolen credentials like this data dump of 700 million stolen email and password records, to gain access to popular websites. 

People tend to use the same email and password on several sites, and, if you have hundreds of millions of genuine authentication credentials, there’s a strong chance that you’ll be able to gain access to an account on any moderately popular web service with at least one of them.

Two-factor authentication (TFA) is the best way to combat all of these “guessing” attacks. Criminals can’t take over a store with guessed authentication credentials if they also need a one-time password from a TFA service, an interface for diagnostic data analysis and collection. 

Retailers are often unwilling to implement TFA because it can negatively impact conversions, but that’s no excuse to leave administrative accounts unprotected.

Avoid Storing Passwords on Insecure Servers

Accidentally exposing sensitive data is quite common, especially exposing secrets that allow hackers to gain access to a store. 

Sensitive data can be exposed by storing passwords on insecure servers or in text files saved on easily lost mobile devices to uploading database passwords to public version control repositories.

The latter bears a closer examination because it’s an easy mistake to make. Last year, security researcher Vladimír Smitka discovered that more than 400,000 websites, including e-commerce sites, were uploading their .git directory to their web server. 

The .git directory is used by the Git version control system to manage software versions. It should never be uploaded to a publicly accessible server because, at best, it contains sensitive information about the store’s structure and the software it uses and, at worst, it contains database passwords, API keys, and private keys.

Sensitive data such as passwords should never be stored in version control, even when the .git library isn’t uploaded to the web server for everyone to see.

If You Can’t Secure Your Store, Hire Someone Who Can

Your website's security is complex, and it’s easy to expose sensitive data if you don’t know what you’re doing. 

Online criminals love little more than an insecure e-commerce store. If you don’t understand why and how they’re going come at you, you stand little chance of keeping the store or your customers safe. 

In this article, we’ve covered some of the most important attack vectors. It’s worth taking a moment to consider how much of a risk they pose to your business.

Unless you understand the complicated technical risks, hire an experienced cybersecurity firm, or use a managed e-commerce hosting provider that offers hardened infrastructure and support for security issues. 

owner

Want to Hire a Service Provider?

Get a free shortlist of best-fit companies from a Clutch Analyst

Based on your budget, timeline, and specifications we can help you build a shortlist of companies that perfectly matches your project needs.

Tell us about your project