The E-Commerce Phishing Threat

Two of the most serious e-commerce security issues are phishing and spear phishing.

Phishing, the hacking technique of mass-mailing malicious email to trick people into clicking on malware links or disclosing private information, is on the rise. In general, according to the Anti-Phishing Working Group (AWPG), of which Vade Retro is a member, overall unique phishing attacks received and reported increased by 186% from 2013 to 2015. Countless other mass phishing emails were blocked by anti-spam filters and so were not counted.

Spam filters can catch many, but not all, mass phishing attacks. However, spam filters are generally helpless in the face of more targeted attacks like spear phishing.

An Even Bigger E-Commerce Security Issue: Spear Phishing

Spear phishing is a more dangerous variant of phishing that targets specific victims with emails purporting to be from friends and colleagues. Exact numbers in regard to spear phishing are hard to come by but Vade Retro’s own numbers show a significant increase in spear phishing attacks both year over year and quarter over quarter for the past two years.

The distributed, virtual nature of e-commerce gives exceptionally good cover for spear phishing hackers because they typically rely on impersonation — which is harder to do when everyone is in a single office.

For instance, many e-commerce companies reply on multiple independent entities, such as fulfillment houses, payment card processors and call centers. These companies may also employ contractors like work-at-home customer service representatives. It is difficult for an employee at one entity to know for sure if an email sender is actually affiliated with one of the other links in the e-commerce chain.

Here are some examples of how a spear phishing attack can take place in e-commerce: Don runs a department in an e-commerce company. One Friday afternoon, Don gets an email from Sally, his manager, over Gmail, explaining that she is on the road and needs him to look at an Excel spreadsheet ASAP! Or, Don gets an order from Sally’s Gmail asking him to pay an Indonesian supplier right away — using the attached wiring instructions. Perhaps Don gets an email from Sally explaining that she needs to send her a list of employee social security numbers so the IT department can test a new HR system right now, so it can go live immediately!

The hierarchical nature of Don’s relationship with Sally may cause him to lower his guard and not question the urgent requests. What he doesn’t realize is that “Sally” is a hacker using a similar-looking Gmail address to Sally’s. The hacker has also checked out Sally’s social media presence so he can drop names of coworkers and projects as way to come across as the “real” Sally. However, the Excel document is a vector for malware injection. The Indonesian supplier is fake. There is no new HR system.  These are all possible ways that a spear phishing attack can gain access to confidential information or funds.

Business Impact

The potential business impacts from spear phishing in e-commerce are quite serious. Breaches of customer data are costly and embarrassing. There are notifications that must be made, identity protection services offered and potential lawsuits to be dealt with.

Outright theft is a risk too. Hackers often use customer information to fraudulently order merchandise from the very e-commerce company they stole the information from! These look like legitimate orders from repeat customers with a new or gift address but the actual merchandise is “reshipped” abroad.

Additional risks of business disruption and reputation damage:

  • Massive losses of potential revenue for slow or broken sites.
  • Damage to the e-commerce brand due.
  • Fines of up between $50 and $90 for each cardholder record that is compromised. Hacked companies that are bound by PCI policy face potential fines for data breaches… even if they are completely compliant.

The costs can run into tens of millions of dollars.

Phishing and Spear Phishing Solutions

The biggest challenge in defending against phishing and spear phishing is that standard email security software like spam filters is not generally effective against the threat. Spear phishing email messages don’t follow spammy messages rules. If a phishing message contains a URL, it may appear benign. In many cases, spear phishing attackers send URLs that don’t point to any obvious malware sources. After the URL has been through the filter at the email server level, however, the hacker may redirect it to malware — making the recipient vulnerable.

Vade Retro is pioneering a new type of anti-phishing countermeasure that can protect e-commerce businesses. It’s a defense that can be layered on top of existing email security software. Vade Retro employs heuristic analysis to spot spear phishing emails, protecting employees from threats even when the threat is literally inside the firewall on the email server. The solution has been “trained” to detect suspicious emails based on an analysis of hundreds of millions of emails over a ten year period. It has created numerous rules using this kind of artificial intelligence to screen inbound messages.

Vade Retro also looks at each URL included in an email the instant an employee clicks on the link, safely exploring it in a remote sandboxed environment to see if it contains any malware or malicious code. This averts the problem of phishers sending clean links that they later point to malicious URLs. Proprietary processes spot one-off spear phishing attacks by matching the style and technical indicators of the claimed sender of any given email with known information about the actual sender.

Give us a call at 415-745-3630 or contact us, if you want to discuss how you can quickly add anti-phishing measures to your current email setup.