The holiday hackers are coming for your website — are you protected?

The holiday season is almost upon us, marking one of the busiest times of the year for online sales. While businesses and consumers alike are preparing for the festivities, there’s another group making their own holiday preparations — cybercriminals. 

‘Tis the season for automated fraud and web skimming attacks

Over the years, cyber-grinches have been slowly upping their ante — becoming smarter and harder to detect than ever through the use of sophisticated human-looking bots or leveraging malicious JavaScript for web skimming attacks like those carried out by Magecart.

And the payoffs during this time of year are high — according to Deloitte, nearly 60 percent of shoppers will spend their holiday budgets online rather than shopping in a store, and the average household is planning to spend almost $1,500 this season. 

Over the past year, the Instart Threat Response and Intelligence team has identified two key attack vectors being used by bad actors: bot attacks and web skimming attacks.

Bad bots are poised to ruin holiday shopping for companies and customers

Automated traffic is now almost 40 percent of internet traffic, and bad bots account for over half of automated traffic. 

There are several ways bad bots tend to try and steal from online businesses during the holiday season: 

  • Credential stuffing attacks are continuous automated efforts using bots to acquire access to accounts with stolen credentials until access is granted. Since 51 percent of people use the same password for multiple sites, this is an easy attack that enables attackers to take over accounts.
  • Account takeover (ATO) fraud is the act of taking over an account (often through the use of credential stuffing) for malicious purposes. Around 40 percent of all account access attempts online are now high risk and losses from fraudulent online transactions are expected to reach $25.6 billion by 2020. 
  • Automated fraud like gift card fraud is another popular holiday bot attack avenue. Typically, bots are used to automated attempts to guess gift card numbers in order to steal legitimate gift card balances. Bots can perform over 100 attacks per second
  • Inventory holding attacks are particularly troublesome during the holidays, especially for companies that are offering promotions at limited availability. In these cases, bots normally buy or hold the entire available stock of “limited” items, such as a best-selling toy, and then resell at a higher price. 

All of the above examples are not only damaging to the consumer experience, but failing to secure your web apps against bad bots can also negatively impact your overall brand reputation and result in loss of revenue. 

Four major security threats sophisticated bots poseRelated Solution brief

A strong bot management solution, specifically those aimed at detecting sophisticated bots, is the best way to mitigate the threat of bad bots. Instart Bot Management offers industry-leading protection against bot activity with technology that collects signals across both the client and server to validate users and their browsers to ensure they are human. 

By blocking sophisticated bots, you will mitigate the risk of credential stuffing, ATO fraud, gift card fraud, and inventory holding attacks having a negative impact on your apps, your customers, or your brand during the holidays — and throughout the rest of the year. 

E-skimming is making headlines — stop Magecart from ruining the holiday spirit 

Recently, Macy’s announced that some of its customers’ online payment information was breached during a web skimming attack carried about by Magecart. Web skimming, also known as e-skimming, are attacks that attempt to insert web skimming code into JavaScript that is able to monitor and steal sensitive information like names, birth dates, or credit card numbers from payment forms or other web forms. 

On-demand webinarThe Macy’s Magecart madness: highly specific unauthorized codeWatch now

Web skimming attacks Magecart attacks have been disclosed at Ticketmaster, British Airways, and Newegg — and earlier in the year, it was reported that Magecart has infected over 2 million websites. This type of attack is becoming so prevalent that the FBI has even issued a warning for both public and private enterprises in the United States, warning them about the dangers of e-skimming attacks. 

And with the holiday shopping season ahead, this will be prime time for web skimming attacks —  according to Adobe, online sales in the United States will reach a record-breaking high of $143 billion for the 2019 holiday season. 

Unfortunately, today’s modern attack surface has expanded to include everything outside the web application firewall,  including browser-based code like JavaScript that attackers can (and will) discover. Companies must implement solutions that not only protect their first-party infrastructure, but now — it is imperative to protect customer data. The best defense against web skimming is to prevent all unauthorized JavaScript access to sensitive data that may be in form fields or stored in website cookies. 

Instart Web Skimming Protection intercepts all API calls from any JavaScript in the browser and automatically blocks access to all HTML form fields and cookies, unless they have been given explicit permission. This zero-trust approach prevents any script, whether malicious, infected, or non-critical, from gaining access to sensitive customer data and protects your apps, your customers, and your brand from a breach.

Instart helps to fully protect your brand from the latest malicious threatsRequest a demo now

*** This is a Security Bloggers Network syndicated blog from Instart blog RSS authored by Elle Poole Sidell. Read the original post at:

Secure Guardrails