There’s a trio of eCommerce cybersecurity statistics released in 2021 that you should know—and if you aren’t already sitting down, you may want to. According to research conducted by cybersecurity company Imperva:
When many people think of cybercriminal activity, scams like “phishing” often come to mind. These attacks remain a threat that will target your staff, but your Adobe Commerce site must be able to identify and deter bot attacks.
One aspect that makes bot attacks so difficult to defend against is their varying levels of sophistication, as the most advanced bots can mimic organic mouse movement and clicks, among other techniques, to evade detection.
On top of evasive attack bots, the diverse motivations behind their usage significantly complicate how or what to defend. For example, cybercriminals may use bots to steal or target:
In recent years, one of the most infamous cybercriminal groups to target eCommerce—and Magento (now Adobe Commerce), in particular—has been “Magecart.”
The name, which refers to both the group and the injected code that serves as their standard attack method, is even a portmanteau derived from “Magento” and “shopping cart.” This is due to one of the group’s most devastating attacks, which was executed on online retailers still utilizing Magento 1 in summer 2020 despite its then-new status as legacy software.
Upon reaching “end-of-life,” over 2,800 eCommerce storefronts relying on Magento 1 fell victim to the widespread Magecart attack. In this instance, referred to as “Cardbleed,” Magecart exploited a “zero-day” vulnerability to connect to the admin panel and deliver malware. “Zero-day” refers to cybersecurity vulnerabilities that are unknown by the software provider and support community or that are known but lack a corrective patch or update.
Once Magento 1 became legacy software and no longer received updates, the hackers struck.
Magecart’s techniques generally involve JavaScript (JS) injections—mentioned above as the most common OWASP-defined threat according to Imperva’s statistics. Magecart injections collect payment information via e-skimmers. Some injections rely on bot-driven deployment, and most target third-party payment integrations on eCommerce sites.
After cybercriminals have obtained stolen financial data, their activity often progresses to bot-driven “carding” efforts to determine the information’s viability.
By targeting commonly used integrations, or the “software supply chain,” Magecart can bypass your cybersecurity and compromise your site via third-party connections. All of your site integrations must be thoroughly evaluated pre-implementation to ensure the coding and provider should be trusted.
If you’re an eCommerce business still operating on Magento 1, contact us to discuss migrations options to the current 2.4 version for significantly improved cybersecurity.
Carding is the verification method many cybercriminals use to determine whether stolen payment card data can still be used. To do so, the stolen card numbers are used on eCommerce sites, typically via small-value purchases. Criminal activity aside, you stand to suffer from financial and related penalties if your digital storefront is used to perform carding, as hackers will commonly file chargebacks and similar disputes.
Since cybercriminals are attempting to check large card volumes, bots are usually employed to automate carding efforts.
If you’ve noticed the following suspicious activity occurring on your eCommerce site, cybercriminals may be using your payment processing for carding:
While some transactions may inadvertently give off the implications of carding, having to assess potential false positives is substantially more secure than risking your site hosting active criminal activity.
Adobe regards cybersecurity as a “shared responsibility model,” in that digital storefront operators bear certain responsibilities to safeguard themselves.
Guidance documentation regarding cybersecurity best practices for Adobe Commerce / Magento functions as a quick checklist you can follow to better ensure your site’s security:
Periodically running through this cybersecurity checklist and following the Adobe Magento Best Practices Guide will help deter cybercriminals from targeting your eCommerce site. If you need help with secure configuration or implementation, we’re here to help.
You should keep in mind that, while Adobe lists the above as cybersecurity “best practices,” some are explicitly stated requirements of the Payment Card Industry Data Security Standard (PCI DSS). For example, changing all vendor-supplied security configurations and passwords and partnering with an approved third party to perform quarterly vulnerability scans are both included within the PCI DSS’ 12 Requirements and numerous sub-requirements.
The PCI DSS applies to any organization collecting, processing, transmitting, or storing cardholder data. Therefore, all eCommerce merchants must adhere to the compliance framework. Importantly, regardless of any third-party service provider’s own PCI DSS compliance, your organization also remains culpable should a breach of cardholder data occur—even if the provided service is identified as being at fault.
We can’t stress evaluating your integrations and providers pre-implementation enough.
While PCI DSS compliance efforts may seem burdensome, strict internal enforcement will significantly bolster your Adobe Commerce / Magento site’s security—in addition to helping you avoid non-compliance fines and penalties.
Unfortunately, cybercrime is all too prevalent, and online retailers are no exception. To best protect yourself, you need to remain up-to-date on the latest threats and vulnerabilities you face, as well as ensure that all cybersecurity measures have been implemented, configured, and continue to operate properly.
Adobe’s own documentation and the PCI DSS compliance framework provide two of the best guidance materials you can reference.
Outside of explicit cybersecurity solutions and services, DotcomWeavers will develop, launch, and support your eCommerce site without exploitable loose ends. Our 14-year track record of success and achievement as a Silver Partner within the Adobe Solution Partner Program (SPP) are a testament to that.
We leverage our team’s extensive experience to provide best-fit Magento Commerce solutions to your business challenges, whether they apply to your entire industry or your uniquely complex company.
Enhance customer experience with precise SKU search, reduce bounce rate, and boost retention through user-friendly databases.
Maximize tech capabilities with seamless ERP integrations via APIs, XML, and file import/export for unified data visibility.
Streamline browsing while inspiring creativity, showcasing diverse customization options in an easily navigable eCommerce platform.
Address B2B customer needs throughout the buying journey with tailored pathways, from easy checkout to personalized assistance.