Akamai: Rapid Digitalization, Flawed Code Led to 14 Billion Attacks in Past Year
Hackers hit the e-commerce industry with 14 billion attacks in 15 months, pushing it to the top of the list of targets for web application and API exploits, according to a new report by Akamai.
The volume of attacks against e-commerce companies is primarily due to the industry’s digitalization and the wide range of vulnerabilities hackers can exploit in the web applications of their intended targets, the researchers said.
E-commerce companies store sensitive data, such as personal identifiable information and payment account details, which makes the sector “one of the most attacked industries and a lucrative target for cybercriminals,” said researchers, who analyzed web attacks from Jan. 1, 2022, to March 31, 2023.
Retail, hotel and travel firms topped the list of 13 industries and suffered 14.5 billion attacks – or over one-third of all attacks studied by Akamai. The high-tech industry ranked second, with about 9 billion attacks, and financial services was third with about 7 billion attacks. Akamai Advisory CISO Steve Winterfeld did not expect commerce to take first place by “such a large measure.”
“Commerce is generally in the top three for DDoS, phishing and web attacks, but they are really getting hit on the app and API front. This is true across industries,” Winterfeld told Information Security Media Group.
Businesses in the commerce sector have a “complex and dynamic attack surface,” affecting both servers and clients. The sector’s infrastructure is complex to secure as it includes point-of-sale terminals and IoT devices that use web applications and APIs. The use of third-party vendor scripts, which often leverage vulnerability-filled open-source libraries, adds another layer of risk, the report says.
One of the challenges facing e-commerce firms is that they rushed to release web applications and APIs to drive business during the pandemic without proper auditing and bug fixing. Adversaries took advantage of the poor coding, design flaws and security gaps, putting the industry at a much higher risk.
“One of the biggest technological transformation changes is the move to APIs and the threat too is focused on this. Responding to customer demands and shopping trends quickly made it difficult to maintain quality and security, but they are critical for customer experience. It is important to remove friction when including cybersecurity, by having a culture of secure coding and security tools that hook into the development pipeline,” Winterfeld said.
While the risks increase, security budgets don’t. “Security and IT teams are feeling the pressure of protecting their perimeter and customer information but have limited security budgets. These teams end up having to do more with less,” the researchers said.
Minimal regulation of the space – unlike the financial services and healthcare industries – only makes the problem worse. “Commerce is less heavily regulated but needs the same security maturity level,” the report says.
Winterfeld’s company often asks him how the organization compares to its peers and other industries. This can provide insights into where the company’s risk management is off, he said. “One key area to remember is: Comparing commerce to other regulated industries is a better measure. Financial services, for example, is right behind commerce in attacks. The criminals are following the money,” he said.
Key Trends in API and Web Apps Security Risk
Between January 2022 and March 2023, hackers shifted from using SQL injection and cross-site scripting to leveraging local file inclusion methods in 56% of the attacks, the researchers said. LFI is currently the top commerce attack vector, with nearly double the number of XSS and SQLi attacks, which came in at 24.19% and 12.24%, respectively.
LFI attack activity increased by more than 300% between the first quarter of 2021 and the third quarter of 2022.
“Nowadays, attackers have found the exploitation of LFI vulnerabilities to be more helpful in scanning networks for targets and exposing information leading to directory traversal attacks and deeper breaches. This is as opposed to how it was a few years ago, with the higher volume of SQLi attacks mainly just permitting access to sensitive data. These exploited LFIs may often lead to remote code execution via attack chaining,” the researchers said.
LFI vulnerabilities are mainly caused by improper input validation, or code that is improperly sanitized. This could allow attackers to “access unauthorized information and receive unauthorized privileges on the server, which can result in a complete compromise of the system.”
Noticing these changes in trend is important, as it helps companies determine how to validate their security controls.
The report recommends that pen testers and red teams focus on uncovering LFI vulnerabilities and that security programs emphasize reporting on both attempts and compromises. “By testing the full life cycle of an attack, we can ensure our SOC processes are able to mitigate them. Leveraging the MITRE ATT&CK framework also provides a reason to study the cyber kill chain steps and the techniques used to execute them,” the report says.
Protecting at the edge should include the ability to manage both direct attacks and being hit by large bots or DDoS attacks, Winterfeld said. The infrastructure needs to be able to mitigate the attack and when necessary, absorb the attacks, he added. “Some of the resiliency challenges can come from a surge of customers, so companies also need the ability to rapidly expand capabilities or leverage a CDN to support these spikes.”
More Trouble Brewing for E-Commerce
LFI is the most pressing concern for the industry, but it is not the only one.
Magecart and web skimming attacks remain potent enough to warrant new requirements in the latest version of payments industry standard PCI DSS. Magecart, the researchers said, is a type of web skimming attack in which hackers exploit a vulnerability on an e-commerce platform script to inject malicious code in first- or third-party scripts – such as that of the checkout page. They do this to gain customer payment details and personal identifiable information.
“In one of the attacks we’ve identified and mitigated, the attacker injected the code in a first-party resource, and users who input and submitted their information in the payment form at the checkout page could have their details (e.g., CVV, credit card number, and name) sent to a C2 server,” the researchers said.
In the British Airways case, ackers abused third-party scripts in the company’s payment page, allowing them to steal confidential user data, such as payment information. This attack affected more than 350,000 customers, resulting in a 20-million-pound General Data Protection Regulation penalty.
Attack vectors, such as server-side template injection, server-side request forgery and server-side code injection, have also become popular and may lead to data exfiltration and remote code execution.
“This, in turn, may be playing a role in preventing online sales and damaging a company’s reputation,” the researchers said, citing an Arcserve survey in which 60% of consumers said they wouldn’t buy from a website that had been breached in the previous 12 months.
SSTI is a hacker favorite for zero-day attacks. Its use is well-documented in “some of the most significant vulnerabilities in recent years, including Log4j,” the researchers said. Hackers mainly targeted commerce companies with Log4j, and 58% of all exploitation attempts happened in the space.
The Hafnium criminal group popularized SSRFs, which they used to attack Microsoft’s Exchange Servers and reportedly launched a supply chain cyberattack that affected 60,000 organizations, including commerce. Hafnium used the SSRF vulnerability to run commands to the web servers, according to the report.
“Unfortunately, these widespread Hafnium attacks are just the beginning, as Microsoft Exchange users have been submitting new ransomware attacks that originated from this hack,” the report says.
Commerce companies use third-party scripts to add customer service-focused functionality such as payment processing, chatbots and metrics tracking. Using third-party scripts does not necessarily mean they are vulnerable, but companies have little visibility into the development and testing of third-party script code and potential vulnerabilities, the researchers said. Third-party scripts may also use code from other third parties, which “creates more blind spots and pathways for attacks,” it said.
Hackers can exploit these flaws to carry out fraud or steal payment details. “It also means increased challenges with meeting the requirements around PCI DSS 4.0 regarding script management,” the researchers said.
The U.S. has privacy, data localization and emerging resiliency regulations, and it is witnessing updates to standards such as PCI DSS based on new threat trends. But compliance challenges are likely to continue to grow, Winterfeld said.