BlackFriday sales have been a huge hit online. There has been a 21.6% year on year growth in buying during blackfriday with sales estimated to be worth $3.34 billion! With the buying going online, there has been an increase in hacks also. Hackers target your website or app with the sole motive of compromising your customers for financial gains.
What’s in it for Hackers?
- Credit Card Details: Credit card details remain the top target for hackers. During blackfriday-cybermonday sales, hackers remain on a spree of targeting both customers and businesses. While targeting end customers is relatively easy but the information they extract is less. However, targeting businesses is a bit difficult but if a business gets compromised that is like hitting a jackpot for hackers. Imagine if your website gets hacked – with one hack hackers can compromise a few thousand or hundred card details. This hacked credit card information is sold for pennies in underground forums.There have been instances where complete businesses where shut down because of hacks. According to a recent survey by Trustwave, 99.7% websites have at least one vulnerability. With those statistics it doesn’t like that hacking websites or apps is also that difficult.
- Free Goods: Modern day web apps have so many different technologies powering them. When these technologies and custom development comes together, it often results in business logic leaks. These leaks are quite deadly as they help hackers to game the system. A few examples of business logic errors are:
- Buying product worth $5000 for $1
- Applying coupon codes that have been expired
- Tricking the payment gateway into believing payment is successful when it’s not
- Accessing exclusive sales available to premium customers without being one
- Misusing flaws in APIs to extract information about other customers
- and many more depending on your web app..
- Cheap Thrills: There is a saying ‘hackers gonna hack’ which is true. Sometimes they just hack for the fun of it. If your website is hackable, hackers would just hack it an brag on social media about it. It’s better to assure that you are unhackable because if you are on hackers’ radar then they for sure can create menace. All you need to do is make it super difficult for them so that they just move on to their next target.
Essential Tips to Assure Security of Your Web Apps this BlackFriday-CyberMonday Sales:
- Start by Protecting Admin: The first thing hackers try to find is the location of the admin panel. Admin panel often gives out the information about CMS you are using with it’s version. Once hackers have this information they can search for exploits for that particular version of the CMS. If the admin dashboard is easily available it means that business owner is not security conscious – giving hackers confidence. The most generic admin dashboard URLs are:
- OpenCart: www.OpenCartStore.com/admin
- WordPress: www.WP-site.com/wp-admin
- Magento: www.Magento-Store.com/admin
When hackers come looking for these default admin paths, you don’t want to give it to them. Be sure to change the admin URL to something random which is difficult to guess. Also add additional layer of security by putting .htpassword is recommended.
- Never Underestimate Patches: One of the initial steps when trying to exploit a web apps is to check if a website has some missing patches. If there are patches which haven’t been installed by you then it becomes easy for hackers to hack the system. Installing patches sometimes can break the website due to version incompatibility or if you have done custom development. But still, patches should not be ignored as sometimes they fix some severe vulnerabilities.
The critical SQL Injection vulnerability Shoplift in Magento allowed anyone to create additional admin user in your Magento store. After one year of the patch being out, still thousands of stores were found to be vulnerable.
- Check for Copycat Domains: This is a classic trick that hackers pull-off during thanksgiving sales. They buy a domain name which is typo or a lookalike of your domain name. On this domain they setup a website that looks just like your website and point customers via email/social media to this fake website. Tricks like these are often pulled by competitors too.
It is recommended to buy all such possible domains yourself. Also, run google searches with these possible copycat domain names to assure no one is tricking potential customers to phishing website that look just like yours.
Astra already gives an option to run your own responsible disclosure program which gives ethical hackers an option to report vulnerabilities to you systematically though our platform.
Leave along websites or apps, recently a DDoS attack caused train delays in Sweden!
Here’s What to Do Next –
If you are the owner/CXO of a company that is prepping for thanksgiving sales, then you need to have a word with your tech team. Start by making sure that the basic security measures are taken care of as mentioned above.
But do not forget that basic security means only a little difficulty for hackers. You do not want anything to go wrong on the most important days for business.
For businesses like yours, we’ve launched a special Essential Thanksgiving Security Checkup for websites & apps. This is where we find all the vulnerabilities in your website, payment flow and app which could be exploited by hackers and help you fix them. Followed by deploying our web firewall Astra which protects you 24×7 during thanksgiving sales and also allowing you to run a responsible disclosure program. In addition, our team stays on stand-by if any security incident happens with your web infra during thanksgiving.