As seen on VMBlog.

By Hadar Blutrich, CTO & Co-founder of Source Defense 

COVID-19 changed our lives in 2020, and we can only expect the outbreak to continue to do so well into 2021. This includes how we shop, and the ways hackers seek to exploit the consumer shifts. In responding to the resulting threats, e-commerce companies will need to take on a much more proactively vigilant posture for the year ahead. 

Specifically, we anticipate the following developments in 2021: 
1.  Consumers will continue to transition from brick-and-mortar to online shopping.

The first seven months of 2020 saw $434.5 billion in online purchases, with the pandemic driving an extra $94 billion since March, according to the 2020 Digital Economy Index from Adobe Analytics. By October, the pandemic accelerated online shopping to a level not previously expected until 2022, with e-commerce in the U.S. projected to reach $794.50 billion this year, according to eMarketer. This represents a 32.4 percent year-over-year growth rate – notably higher than the 18 percent predicted in eMarketer’s Q2 forecast. By 2024, e-commerce will account for 19.2 percent of all retail spending, up from 14.4 percent now. In contrast, brick-and-mortar sales will drop to $4.71 trillion this year, a 3.2 percent decline. 

“We’ve seen e-commerce accelerate in ways that didn’t seem possible last spring, given the extent of the economic crisis,” said Andrew Lipsman, a principal analyst for eMarketer. “While much of the shift has been led by essential categories like grocery, there has been surprising strength in discretionary categories like consumer electronics and home furnishings that benefited from pandemic-driven lifestyle needs.” 
2.  Cyber criminals will take advantage of the online shopping boom by launching more formjacking and Magecart attacks.

Through these attacks, cyber thieves inject malicious JavaScript code into e-commerce websites to skim data from online checkout pages and steal customer credit card information. Formjacking refers to hijacking a web form, most frequently the payment page. It accounts for 87 percent of web breaches and 17 percent of total breaches. Magecart refers to the targeting of shopping carts associated with the Magento open source e-commerce platform. In September, hackers compromised more than 1,900 retailers running Magento software to steal payment details of tens of thousands of customers – making for the largest known Magecart attack ever. Overall, there have been 425 Magecart incidents per month this year.
3.  Cyber attacks will become much more sophisticated and harder to detect. 

In the past, we’ve seen adversaries hide their tools in servers and domains with names such as (note the use of the letter, “c,” instead of “o”) but this activity, of course, was subject to detection. To remain hidden, formjacking and Magecart hackers will use Content Security Policy (CSP)-whitelisted solutions such as well-known tag managers to inject the JavaScript code. This will  remove the need for a “drop server*” by sending and collecting the consumer information with other solutions, allowing them to stay almost completely undetected and saving any server or cloud cost they might have. The technique proves all the more formidable – and foreboding – because the sales transaction will go through. Therefore, the compromised websites and the victims are completely unaware that the hackers have their credit card data until it’s used for an unauthorized purchase. 

*A drop server is a server that collects and holds stolen data. 
4.  Organizations will increasingly adopt zero trust to protect themselves and their customers.

Adversaries are finding that it’s effective (and lucrative) to target third parties since they are the weak links of the e-commerce supply chain. The only way to capture and block this activity is to implement zero trust solutions which confine third parties to strictly the information that the website has authorized for them to access, while blocking access to consumers’ private and payment information. 

Virtual web pages play a key role here. Just like a real time sandbox, they provide an exact replication of the original web page, but exclude what the third party isn’t authorized to see. If the third party input is allowed, the virtual page will transfer it to the original web page. The isolation of third-party scripts from the original website ensures that any unauthorized changes to JavaScript will not cause any harm. 

There is an urgency to deploy these solutions now, especially since the average e-commerce site connects to approximately 40 third-party tools. Meanwhile, we know that online shopping will only increase considerably over the next year. Given this, we hopefully will read far fewer news reports about successful formjacking and Magecart incidents in 2021 and more stories about how organizations defended themselves from these attacks by implementing zero trust.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.