Virtual Stores: A Pot of Gold for Cybercriminals

It’s strange these days to imagine someone driving to a physical store to purchase a cell phone or some type of trendy gadget. Ever since virtual stores—also known as e-commerce—have become popular, it’s been much easier (and often cheaper) to buy consumer products. You just go to the site, choose the item you want and pay using a payment card, bank transfer or credit card. Social networks and reviews on specialized webpages help with choices and play the role of store clerk whenever the consumer has questions.

But it’s not all rosy. Since the dawn of humankind, merchants have constantly had to deal with robbery, shoplifting and fraud.  We have had no reason to believe that on the Internet things would be any different. With the advent of e-commerce, specific cyber security risks have also arisen within that industry. Since it’s increasingly easy to create a virtual store, merchants don’t always respect the basic principles of cyber security.

It’s easy to understand why e-commerce was the second-leading target for phishing attacks in 2018. With 6,000 occurrences identified by Axur, this sector trailed only the financial segment, which registered an incredible 10,000 threats. Virtual stores are easy and lucrative targets for cybercriminals, who are using a series of techniques that cause both material and non-material damage (especially for small sites, which are often developed with little diligence and without the solutions necessary for digital data protection).

Paradise for scammers

There are several reasons why e-commerce is so attractive for those wanting to carry out scams online. Let’s look at a few examples:

• An easy swindle: Commerce in stolen or cloned credit cards is a reality and you already know that. That being the case, all someone needs is a hijacked card to buy items from a store and have them delivered to the comfort of their own home. If a certain site has anti-fraud mechanisms, just look for another; there are thousands selling the same product. By the same token, if the card is refused, a hacker will have no difficulty getting another one and continuing to try until he’s successful.
• Low security: Of course, the large retailers invest appropriately in information security, but the same cannot be said for “mom and pop” stores. As we mentioned before, these days there are dozens of ready-made services and platforms that allow you to effortlessly create an e-commerce website from scratch. Unfortunately, those who go that route usually forget to protect themselves right from the start against an attack from malicious actors.
• Great risk-benefit ratio: An unsuccessful scam will rarely have any negative consequences for the criminal. Hackers know they’re unlikely to be arrested. Even a successful scam can take months before it’s identified, and then it’s too late to track the culprit or recover losses. So, this is a low-risk practice that offers great financial rewards.
• Status symbol: Just like so-called “conventional” criminals, cybercriminals also love to show off their life as outlaws. It’s easy to find scammers bragging in closed forums or communities after they’ve gotten luxury items—the latest cell phone, fashion clothing, imported watches—from a given store. The more successful their scams, the more status, fame and respect they receive within the cybercrime “scene.”

Together, those factors (and a few others) make e-commerce a true pot of gold for those who want to make easy profits by injuring third parties on the Internet. The characteristics of this sector make it seductive even for those who are just getting started in the world of cybercrime, since many of the scams don’t require great ability or technical knowledge to be carried out.

The creativity of a criminal mind

Take phishing on e-commerce for example. There, the criminal just needs to build or buy a ready-made fake screen that perfectly simulates the targeted store’s product page. Then all that’s needed is to send an email inviting victims to access that screen and encourage them to purchase the item (that doesn’t even exist). All the money goes to the scammer, while the consumer will wait forever for their purchase to be delivered. This situation damages both the Internet user and the digital presence of the real store.

Exploitation of gift cards is also becoming increasingly common. Since it’s not necessary to prove your identity in order to use them, they can be stolen, sold and exchanged on the deep web. These days, the most skilled criminals can counterfeit a store’s gift cards indefinitely if they manage to learn the algorithm used by the retailer to generate the theoretically random codes on each card. It’s a scam that can cost the enterprise millions in financial losses.

Other common tactics that we can mention include automatic SMS verification (which is nothing more than two-factor authentication done via text messages to identify a customer), exploitation of a site’s structural breaches (which exist, again, due to the lack of concern for digital security in the store’s development) and even the use of administrator credentials to invade a site’s systems. These credentials can be acquired through leaks, through brute-force attacks, or through credential stuffing.

As the saying goes: “An ounce of prevention...”

These dangers are exactly why it’s so important to monitor all possible Internet channels—open and closed, on the surface as well as on the deep web—to identify possible threats before they actually cause financial losses or non-material damage to your company. Axur’s solutions are here to help you with that, issuing notifications should anything related to your brand be detected (a leak, a voucher counterfeiting service, or even a simple discussion over how to take advantage of a breach in your systems). Contact us and find out how we can help you be set free from cybercriminals!