E-Commerce Fraud Up 178% Ahead of Holiday Shopping

December 22, 2021 @ 3:00 PM
| |
2 min read

The number of malicious shopping-related websites increased 178% ahead of the 2021 holiday shopping season, according to Check Point Research. See how to recognize and prevent e-commerce fraud.

A Spike in E-Commerce Fraud Websites

Beginning in October, Check Point Research observed an average of 5,300 malicious e-commerce fraud websites emerge each week. That marks a rise of 178% compared to the average for the rest of the year.

The impact of those websites also began to pick up in that period. Earlier in the year, the sites affected one of 352 corporate networks. That impact rose to one in 47 in October. At the beginning of November, it was one in 38.

Those websites involved various types of malicious activity. In one attack campaign, for instance, Check Point Research witnessed malicious actors send out emails advertising “Cheap HandBags” and “Up to 80% OFF Michael Kors HandBags”. Those e-commerce fraud emails contained a link to similar websites hosted on or around Oct. 19.

Another attack campaign sent out a fake “Urgent notice” from an online retailer. The email informed the recipient that the online retailer had failed to renew their account. It contained a link that redirected recipients to a website designed to steal their account credentials.

What E-Commerce Attacks Mean for Security

Over the course of 2021, Imperva observed that bot attacks on retail websites increased 13% compared to the same months in the previous year.

Over half (57%) of those attacks on e-commerce websites involved bots, the security firm found. By comparison, bots were behind just a third of attacks on the sites of other industries in 2021.

Bots weren’t the only drivers of e-commerce fraud in 2021, either. At the beginning of December, for instance, Bleeping Computer reported that attackers were using a threat called NginRAT to target the remote access capabilities provided by Nginx servers and to conduct server-side attacks for the purpose of stealing users’ payment card data.

NginRAT appeared on e-commerce servers in North America and Europe that digital attackers had previously infected with CronRAT.

Looking ahead, the rest of the 2021 holiday season isn’t expected to improve for shopping-related websites. Per Zscaler, security researchers estimate that HTTPS threats on e-commerce platforms will grow 314% through the rest of the year.

How to Defend Against E-Commerce Fraud This Holiday Season

In response to the attacks discussed above, organizations can use security awareness training to educate employees about potentially malicious e-commerce websites.

Teams can focus on cultivating their employees’ suspicions of lookalike domains pretending to be retailer websites, holiday shopping offers that appear too good to be true and password reset emails that arise out of nowhere.

In addition, adopt a multifaceted approach to endpoint security that monitors for inappropriate device behavior and controls access to resources. Such methodology can help you quickly respond to instances of malicious e-commerce sites carrying ransomware or other types of digital threats.

David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...
read more