9 Essential Security Tips to Protect Your Website & App from Hackers this BlackFriday-CyberMonday
BlackFriday sales have been a huge hit online. There has been a 21.6% year on year growth in buying during blackfriday with sales estimated to be worth $3.34 billion! With the buying going online, there has been an increase in hacks also. Hackers target your website or app with the sole motive of compromising your customers for financial gains.
Contents of This Guide
What’s in it for Hackers?
- Credit Card Details: Credit card details remain the top target for hackers. During blackfriday-cybermonday sales, hackers remain on a spree of targeting both customers and businesses. While targeting end customers is relatively easy but the information they extract is less. However, targeting businesses is a bit difficult but if a business gets compromised that is like hitting a jackpot for hackers. Imagine if your website gets hacked – with one hack hackers can compromise a few thousand or hundred card details. This hacked credit card information is sold for pennies in underground forums.There have been instances where complete businesses where shut down because of hacks. According to a recent survey by Trustwave, 99.7% websites have at least one vulnerability. With those statistics it doesn’t like that hacking websites or apps is also that difficult.
- Free Goods: Modern day web apps have so many different technologies powering them. When these technologies and custom development comes together, it often results in business logic leaks. These leaks are quite deadly as they help hackers to game the system. A few examples of business logic errors are:
- Buying product worth $5000 for $1
- Applying coupon codes that have been expired
- Tricking the payment gateway into believing payment is successful when it’s not
- Accessing exclusive sales available to premium customers without being one
- Misusing flaws in APIs to extract information about other customers
- and many more depending on your web app..
- Cheap Thrills: There is a saying ‘hackers gonna hack’ which is true. Sometimes they just hack for the fun of it. If your website is hackable, hackers would just hack it an brag on social media about it. It’s better to assure that you are unhackable because if you are on hackers’ radar then they for sure can create menace. All you need to do is make it super difficult for them so that they just move on to their next target.
Essential Tips to Assure Security of Your Web Apps this BlackFriday-CyberMonday Sales:
- Start by Protecting Admin: The first thing hackers try to find is the location of the admin panel. Admin panel often gives out the information about CMS you are using with it’s version. Once hackers have this information they can search for exploits for that particular version of the CMS. If the admin dashboard is easily available it means that business owner is not security conscious – giving hackers confidence. The most generic admin dashboard URLs are:
- OpenCart: www.OpenCartStore.com/admin
- WordPress: www.WP-site.com/wp-admin
- Magento: www.Magento-Store.com/admin
When hackers come looking for these default admin paths, you don’t want to give it to them. Be sure to change the admin URL to something random which is difficult to guess. Also add additional layer of security by putting .htpassword is recommended.
- Never Underestimate Patches: One of the initial steps when trying to exploit a web apps is to check if a website has some missing patches. If there are patches which haven’t been installed by you then it becomes easy for hackers to hack the system. Installing patches sometimes can break the website due to version incompatibility or if you have done custom development. But still, patches should not be ignored as sometimes they fix some severe vulnerabilities.
The critical SQL Injection vulnerability Shoplift in Magento allowed anyone to create additional admin user in your Magento store. After one year of the patch being out, still thousands of stores were found to be vulnerable.
- Check for Copycat Domains: This is a classic trick that hackers pull-off during thanksgiving sales. They buy a domain name which is typo or a lookalike of your domain name. On this domain they setup a website that looks just like your website and point customers via email/social media to this fake website. Tricks like these are often pulled by competitors too.
It is recommended to buy all such possible domains yourself. Also, run google searches with these possible copycat domain names to assure no one is tricking potential customers to phishing website that look just like yours.
- Have a Firewall in Place: There are no two ways about having basic security checks in place. But basic security checks aren’t enough. Having a firewall goes a long way. It helps you keep bad bots, hackers away and let’s only legit users enter your website. However, generic firewalls should be avoided. Firewall should be specific to your CMS or tech stack you are using. Generic firewalls often interfere between normal functionality of the website and have a very general approach to security. You do not want to compromise on this one.
- Dormant Domains Attract Hackers: The main website or app where customers shop from is always taken care of. Be it security, marketing, UI/UX etc. everything is on top for the main website. However, what is forgotten are sub-domains and those mail servers you had setup long time ago but haven’t used ever since. These are exactly the loose nuts hackers look for. In the recent Equifax breach, un-monitored sub-domains seem to have played a role in the hacks.
- Extend Good Hackers a Handshake: All hackers aren’t bad! Some are just in for appreciation and some goodies. Often they try to contact business owners to responsibly report vulnerabilities to them But then they never hear back and end up putting the details in a blog post or social media. There are more ethical hackers trying to hack you than the bad ones trying to hack. As a .COM business owner, you need to be more open to the good guys.
Astra already gives an option to run your own responsible disclosure program which gives ethical hackers an option to report vulnerabilities to you systematically though our platform.
- Open Ports Should be Closed: Just like unattended domains, open ports also are a good entry point for hackers. Attacks like DDoS that can cause a havoc to your web services are often a result of open ports being chocked by hackers.
Leave along websites or apps, recently a DDoS attack caused train delays in Sweden!
- Get a Security Test Done: BlackFriday & CyberMonday sales ask for so much efforts from a technology team. Doing everything by yourself is not possible. Especially something like security that is every changing. Still, it can’t be ignored. The best it to let the experts handle security for you so that you can concentrate of business. A security audit ahead of thanksgiving sales would go a long way.
Here’s What to Do Next –
If you are the owner/CXO of a company that is prepping for thanksgiving sales, then you need to have a word with your tech team. Start by making sure that the basic security measures are taken care of as mentioned above.
But do not forget that basic security means only a little difficulty for hackers. You do not want anything to go wrong on the most important days for business.
For businesses like yours, we’ve launched a special Essential Thanksgiving Security Checkup for websites & apps. This is where we find all the vulnerabilities in your website, payment flow and app which could be exploited by hackers and help you fix them. Followed by deploying our web firewall Astra which protects you 24×7 during thanksgiving sales and also allowing you to run a responsible disclosure program. In addition, our team stays on stand-by if any security incident happens with your web infra during thanksgiving.