One thing is for sure—online shopping sure is convenient. All tucked into bed, armed with a credit card and wearing your comfy pajamas is certainly a far cry from driving or taking the bus to a public brick-and-mortar shop where you will likely encounter a million obstacles and possibly not even find the size, color, or style of whatever you are looking for. Indeed, for people living in small towns, with limited physical shops available, shopping online is basically essential unless they are willing to drive hours to the nearest mall.
While it’s true the vast majority of transactions made through online retail giants like Amazon and eBay are typically done without any cybersecurity incidents, the reality of possible cyber attacks is quite real. And if it happens to you, you’ll soon discover the effects can be devastating. Fraudulent purchases made with your credit card, identity theft, and breaching your sensitive financial data are all possible risks when you shop in your jammies.
According to Experian, online shopping fraud attacks increased by 30% between 2016 and 2017. And shipping fraud, which happens when a cyber attacker replaces someone’s delivery address in an online shopping order with their own location, increased by 37% from 2016 to 2017. When a cyber attacker uses a victim’s mailing address to ship stolen goods, a trick known as bill fraud, increased by 34% over the same time period. Overall, identity theft affected a whopping 16.7 million American consumers during 2017, a statistic recently reported by Javelin Research.
In case you’ve forgotten, let’s check out the three major online cyber attacks on retailers over the past few years:
The Disastrous Zappos Data Breach
In January 2012, online shoe retailer Zappos suffered a massive data breach. Potentially sensitive data on approximately 24 million customers was leaked to cyber attackers. The breached data included names, addresses, and phone numbers—but thankfully, no credit card data was breached. Zappos was careful to keep sensitive financial data encrypted and separated from where customer name, address, and phone number data was stored.
That sort of data is still very useful to cyber attackers who want to engage in identity fraud. When Zappos discovered the breach, they immediately emailed all of their registered customers to inform them of the incident. The email suggested they reset their customer account passwords and create all new ones for their site. It further stated, “We also recommend that you change your password on any other website where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an email. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a website where you are asked to provide personal information.”
That was a good part of their incident response. But cybersecurity experts didn’t feel Zappos handled the breach as well as they could. In fact, Francoise Gilbert of the IT Law Group was quoted as saying, “There are some things, such as closing down the phone lines, that make us question whether there was any preparation for any type of security breach.”
A number of lawsuits from data-breached customers soon latched onto Zappos, and the online retailer tried to send the lawsuits to arbitration based on a legal clause in their user agreement. But the user agreement was implemented by saying that users of their site automatically agreed to it by choosing to shop, without requiring explicit, clickthrough consent to the contract. The contact also said, “we reserve the right to change…these terms and conditions at any time.” So ultimately, the court decided the Zappos’ arbitration clause wasn’t legally binding, thereby allowing their data-breached customers to sue the retailer directly.
Construction Materials Online SQL Injection Attack
A SQL injection attack is when malicious code is entered through a web form in order to cyberattack a website’s backend scripting. On May 6 of 2014, the company known as Construction Materials Online was successfully exploited in precisely that way. The unencrypted details of 669 customers, including names, addresses, account numbers, and security codes, were breached. So, why did the Construction Materials Online store expose such sensitive data in plaintext? Turns out, insecure web development code made the attack possible.
The Information Commissioner’s Office (ICO) eventually penalized the retailer with a fine of£55,000, labeling them as negligent. ICO’s Steve Eckersley explained, “When people handed over their personal financial information, they rightly expected it to be safe. Construction Materials Online did not keep it safe and, as a result, exposed its customers to potential fraud. Its failure to make cybersecurity a top priority has proved a costly mistake.”
The FedEx Phishing Attack
Sometimes, online shoppers can be attacked without completing an actual transaction! A phishing attack was reported in December 2016 where the cyber attacker pretended to be from FedEx. Using a Punycode exploit to spoof Unicode characters, the cyber attacker’s “http://fedex-international.com.xn-sicherheit-schlsseldienst-twc.de/track” URL was displayed in their phishing emails as the more legitimate looking “http://www.fedex.com/us/track.”
Microsoft’s Office 365 software-as-a-service was fooled by the spoofed URL. Targeted users were sent phishing emails which said that FedEx had an important package waiting for them. Targets were directed to a phishing website which spoofed Office 365’s web interface. From there, users were fooled into providing their Office 365 passwords, which the cyber attacker then grabbed for their unauthorized use.
JD Norman Industries’ Matt Litchfield said about the attack, “The email scanners and threat protection provided by Microsoft are not stopping the latest phishing emails from getting into our organization. We are experiencing phishing emails that target my users’ Office 365 credentials. These types of attacks represent a very serious security concern for my organization. I no longer believe that Office 365 email scanning offers sufficient protection from phishing attacks by itself; we must layer additional security on top of what Microsoft already provides to ensure a comprehensive email security solution.”]
Google is now trying to figure out how they can drop the use of URLs in Google Chrome altogether, as their attempt to prevent phishing attacks.