The growing hacking threat to e-commerce websites, part 1
by Ilia Kolochenko - CEO at High-Tech Bridge SA - Tuesday, 17 December 2013.
Now, let’s speak about untargeted attacks, which are the most common today in the SMB sector. Cybercrime is a very big and fast-growing industry. Each byte of information has its price on the black and grey markets. Of course, one customer record from an online shop will hardly bring more than one pence, but a hundred records is already £1 (or even more), while a thousand records easily gives at least £10 (or much more, depending on the records’ “quality” and “completeness”).

How much will it cost to compromise Amazon? Several million GBP, moreover you will need time, excellent technical skills and a bit of luck. Not many Black Hats have the necessary skills, time and resources to launch attacks against the biggest players of the e-commerce industry, therefore they prefer to compromise a dozen small and medium online shops per day and get their money on the “every little helps” principle.

How will they find your website in the Internet? Easily - Google is the best friend of hackers. Robots, hidden behind millions of proxies, are crawling World Wide Web in the 24/7/365 mode to find outdated versions of web application software or to bruteforce default and weak passwords.

In untargeted attacks, hackers make money on very large quantity, not quality. I will not even mention all the goals the hackers may have for hacking your website as, besides banal theft of your databases, they are infecting your website with malware to conduct drive-by attacks against your website visitors and turning them into zombies to perform DDoS attacks, up to creation of hidden sections with illicit content - for which you may be held responsible.

Web applications are one of the easiest and most popular attack vectors used by hackers today. During the last three years High-Tech Bridge Security Research Lab has identified almost one thousand vulnerabilities in commercial and open-source web applications installed on tens of millions of active websites.

Unfortunately, hackers have much bigger resources and predictable ROI (Return On Investment) that allow them to achieve much more impressive results. The number of web security incidents permanently grows, while quality of web application coding and user awareness about security doesn’t follow fast enough. Remember that Black Hats may always select your website as a target, moreover one day they will do it, so it’s only a question of time. After a brief overview of attackers’ motivation in this first part, we will have a look on the most common web hacking techniques, countermeasures and investigation process in the second part.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th