The online holiday shopping season is well underway, with e-commerce retailers anticipating robust consumer spending: Deloitte projects that e-commerce sales will grow by 12.8% to 14.3%, year-over-year, during the 2022-2023 holiday season, reaching total sales of between $260 billion and $264 billion, according to a report from Retail Info Systems.
That’s a lot of activity on your e-commerce apps—and not all of it will be from happy holiday elves checking their shopping lists.
This is also the time of year that cyberthreat actors ramp up their activities, looking to take advantage of the surge in online holiday shopping.
Client-side attacks are launched to intercept and manipulate user sessions, with the intent to take control and deface websites, conduct phishing attacks, present fake content, create new forms, hijack legitimate forms requesting the user to provide their social security number or bank account information, or take over the user’s account. Data captured is usually exfiltrated to the attacker’s command and control server.
Magecart attacks are probably the most well known. Magecart is a broader term for a range of software supply chain attacks including formjacking and digital skimming, also called e-skimming, which steal personal data (most commonly customer details and credit card information) from online web payment forms. According to F5 Labs' 2022 Application Protection Report: In Expectation of Exfiltration, formjacking attacks constituted the bulk of web exploits that led to breach disclosures.
Criminals typically leverage the captured customer data to conduct malicious acts such as identity theft or account takeover, or very often to simply harvest the information to package and sell as data dumps on the Dark Web.
Client-side attacks will continue to be a challenge for online organizations as long as criminals are able to embed malicious code into web applications, and these exploits can be particularly damaging during the holidays, when both shoppers and your cybersecurity teams already have plenty of other concerns to focus on. Given how few companies are aware of these types of attacks, and how few have set up proper defense methods to detect and thwart these exploits, attackers will continue to find success.
However, here are some best practices that you can implement to help mitigate client-side risk:
When customers log into their accounts on your e-commerce website over the holidays, they are trusting you with their sensitive personal data. Take the steps necessary to ensure the third-party scripts running in your e-commerce environment cause no harm.
Learn more by watching the video How Merchants Can Defend Themselves against Magecart Attacks and tune into this demo of F5 Distributed Cloud Client-Side Defense.