Record numbers for internet sales were reported in 2019, but online retailers aren’t the only ones laughing all the way to the bank. Cybercrime costs retailers a staggering $30 billion a year, and the sector is among the top ones targeted globally. Last year, three quarters of global retailers reported falling victim to cyberattacks.
Cyberattackers are constantly evolving and looking for opportunities to deliver malicious payloads to online shoppers. This activity is especially heightened during the shopping season. While several awareness campaigns have been launched this year, one most notably by Homeland Security to educate users on making smart and safe shopping choices, the conning of advertisers and publishers into delivering malware-laced advertisements is a growing issue.
The Devcon report highlighted that hackers can use any of the following methods to exploit advertisers and consumers:
Abusing publisher’s code: Cybercriminals will create fraudulent accounts with ad networks and use an organization’s ad tags to deliver payloads to target websites without even having to compromise the target company’s servers.
Exploiting a partner’s code: This attack method basically involves exploiting vulnerabilities in the source code of third-party partners that connect with the target website, publisher or advertiser. A similar pattern can be drawn with last year’s Magecart attacks that stole credit card information from more than 80 global e-commerce websites that were running an outdated version of the Magento platform. Or take the example of the eGobbler attack that affected more than a billion ads due to a browser flaw on Apple iOS devices.
Service providers and consumers must ensure that they follow these best practices to ensure that they do not fall prey to ad threats.
Best practices for service providers:
1. Start with the company culture. Ensure all stakeholders — including employees, suppliers and partners — are aware of the security risks and code is not published without thorough testing.
2. Have an independent company audit all company code, including third-party integrations, and establish a process to regularly review, monitor and test the code for infections.
3. Perform regular threat assessments, review integrations and evaluate all security risks.
4. If budget permits, consider appointing a security advisor, CIO or virtual CISO to sit on the company board.
2. Verify the legitimacy of the ad. See if the information provided is reasonable and accurate.
3. Use an effective endpoint/antimalware security solution. Deploy an ad-blocker if necessary.
4. Keep all software updated. This includes your browser, operating system, antivirus software, Java, Adobe Flash, etc.
5. In case you are interested in what the ad is offering, search for the company and product directly yourself. If the offer in the ad looks too good to be true, verify it on the company website before clicking on the ad.
6. Be extremely mindful of phishing pages when filling forms online.
7. If you come across a suspicious ad, it might be a good idea to report it to the e-commerce website or the ad serving platform.
The increased amount of money flowing into ad serving platforms is obviously going to attract more and more cybercriminals by the day. While service providers become more security savvy, hackers become more sophisticated than ever before. Understanding ad threats is necessary for staying one step ahead of these fraudsters.