• Home
  • Blog
  • How to Protect Your Ecommerce Site From Holiday Hacks

How to Protect Your Ecommerce Site From Holiday Hacks

Protect Your Ecommerce Site This Holiday

There have been an alarming amount of security breaches covered by the news over the last year, from the Heartbleed vulnerability to the numerous breaches at USPS, Neiman Marcus, eBay, Home Depot, Target, and other retail businesses. According to Trustwave’s 2014 Global Security Report, 54% of the attacks that took place last year targeted ecommerce systems.

With the holidays looming on the horizon and your holiday traffic preparations underway, the last thing you want is a hacked site. Below are the five most common types of hacks that might affect ecommerce businesses this holiday season as compiled by OWASP, the Open Web Application Security Project and the collective knowledge of our security experts. Learn more about these security risks so you can better protect your customers and ensure you have a successful holiday season.


Holiday Hack #1 – Injection

What Is It?
Injection attacks can cause data loss, data corruption, denial of access, and even a complete host takeover that could have negative consequences on your business’s reputation. Injection flaws are easy for attackers to find and happen relatively often. Injection-related attacks are often in the news, much like the recent attack disclosed by Milwaukee-based computer security company Hold Security. They discovered a theft of confidential information from nearly 420,000 websites due to SQL Injections.

How Does It Work?
Untrusted data is injected into a web application and tricks that application into executing commands and accessing data. Often found in legacy code within SQL, LDAP, Xpath, NoSQL queries, OS Commands, XML parsers, SMTP Headers, etc.

How Do I Protect Myself?
Using a safe API can prevent injection attacks, and protections such as ModSecurity for Apache can help in the case of SQL injections. However, it is also vitally important to keep your web applications updated, something that our Support can help you maintain. Outdated applications are particularly vulnerable to injection attacks.

Holiday Hack #2 – Authentication

What Is It?
Authentication exploits are widespread and can provide attackers with an authorized user from which they can attack. One method attackers use to gain access to authorized user accounts is a brute force attack, which involves rapid logins against your server. Attackers can also target Session IDs, which keep track of users through multiple requests. Stolen session IDs can be reused to impersonate users on popular websites like Facebook and Google.

How Does It Work?
Attackers take advantage of exposed accounts, weak passwords, or other flaws in the authentication or session management functions to impersonate users. Flaws could be found in the logout, password management, timeouts, account update functions and more.

How Do I Protect Myself?
Protecting your application from session ID exploits requires a strong set of authentication and session management controls, secure communication and credential storage. In addition, services like Brute Force Detection (BFD) watch your log files for failed login attempts and will blog IP addresses that have several in a short period of time.

Holiday Hack #3 – Cross-Site Scripting (XSS)

What Is It?
XSS is one of the most widespread security risks. Attackers hijack user sessions to change websites, insert bad content, conduct phishing and malware attacks, etc. all leading to a negative impact on your website’s reputation. Paypal, as an example, has had to fix XSS vulnerability in their site that allowed the execution of client-side script and browser cookie hijacking.

How Does It Work?
This attack exploits the browser-user trust. Attackers can send text-based attack scripts that execute in the victim’s browser, hijacking the user session.

How Do I Protect Myself?
Follow best practices per OWASP to protect your application from XSS attacks, including properly escaping all untrusted data and including whitelist input validation. In addition, maintaining updated web applications is extremely important because outdated applications are vulnerable to XSS attacks. Our Support can help you manage your many applications and their updates.

Holiday Hack #4 – Denial of Service (DoS)

What Is It?
A common attack that allows hackers to bring down a network without needing internal access is Denial of Service or Distributed Denial of Service (DDoS). These types of attacks are particularly worrying because a slow, or even inaccessible website during the holiday season can be devastating. Customers that have experienced debilitating DDoS attacks have found themselves in desperate situations without the proper mitigation techniques.

How Does It Work?
During a DoS attack, attackers flood the access routers with fake traffic until the system overloads and eventually fails. A DDoS attack involves coordinated attacks from many different sources.

How Do I Protect Myself?
The best way to mitigate a DDoS attack is to monitor incoming traffic. Services like our DDoS Attack Protection differentiate between legitimate and malicious traffic. It analyzes traffic that attempts to reach the server and, if the traffic is determined malicious, routes it away allowing only legitimate traffic through. DDoS Attack Protection can prevent the severe negative consequences of a debilitating attack.

Holiday Hack #5 – Security Misconfiguration

What Is It?
Misconfigured security settings are a frequent oversight made when implementing web servers and applications. Easy to exploit, attackers can get unauthorized access to system data or server functionality, allowing them to steal or modify your data slowly over time. This could lead to a complete system compromise.

How Does It Work?
There are numerous ways attackers can exploit misconfigured settings, including in the web server, application server, database, application framework, and custom code. They can exploit default accounts, unpatched flaws, unprotected files, directories, and more.

How Do I Protect Myself?
Ensuring it is fast and easy to deploy secure environments, maintaining updated software, securely separating components, and periodically auditing your security can help avoid security threats – all of which our Support team can guide you through. In addition, setting up a secure firewall will help you protect your entire hosting environment.

Our Support team is well versed in protecting our customers against these and other common security exploits. Knowing the importance of the upcoming holiday season for ecommerce businesses, we’re here to help you find out if you’re vulnerable and to implement protections for your sensitive data.