Search Go hack yourself with Detectify

An EASM blog from Detectify

How to “winterize” and secure your eCommerce website for the holidays

November 17, 2020

With online retailers and shoppers busy focusing on the upcoming holiday shopping season, cybercriminals are on the hunt for unsuspecting victims to defraud. Don’t worry; there’s still time to beef up your eCommerce website security and get a full picture of your attack surface before Black Friday so you can #SellSafe all winter long.

ecommerce security scan

As more people are working from home due to the COVID-19 pandemic, it’s no surprise that experts predict the growing online shopping trend to last through the end of the year and even make up for lost revenue from in-store sales this holiday season. In the US, online sales are expected to grow and reach $1.013 trillion in the last 2 months of 2020.

Yet optimistic online sales forecasts are no reason to let your guard down. In fact, Europol is specifically targeting e-commerce retailers instead of shoppers this year in their #SellSafe awareness campaign ahead of Black Friday.

To protect your web store—and your customers—Detectify recommends “winterizing” your eCommerce website before the holiday shopping rush by:

Why it’s important to “winterize” your web store before Black Friday

Winterizing your home against freezing temperatures and inclement weather is an annual ritual for many people living in cold northern climates. Each fall, homeowners perform small chores to prevent damage from ice and snow and to help ensure their families stay warm and toasty throughout the winter.  

Although online storefronts don’t need to worry about frozen pipes bursting or drafty windows and doors, unpatched vulnerabilities on your website can quickly derail a successful holiday sales campaign, hurt your customers, and tarnish your reputation if you get hacked. 

Detectify Crowdsource security researchers have a knack for hunting security bugs in Content Management Systems (CMS). Magento is one of the tools that we have automated security testing for. Here is some additional advice from our researchers as tech organizations rush to prepare for shopping mania:

What you can do before the doorbusters start

So what can you do right now to get ahead of would-be attackers and secure your eCommerce site before the winter e-shopping traffic surge?

Upgrade and patch your platform

If you’re using an eCommerce platform like Magento, WooCommerce, or Shopify to run your online store, the first thing you should do is to make sure you’re running the latest version of the platform and install any software updates from the vendor. Vendors usually include security patches in their software updates to fix new vulnerabilities that could be exploited.

Updating your software may seem like common sense, but it can be all too easy to overlook installing a security patch when you’re already busy trying to keep your site up and running. For example, over 2,800 eCommerce websites running an outdated version of Magento were hacked this past September alone.

Luckily, most eCommerce platforms make it easy to install upgrades and patches from their admin dashboards, so there’s very little reason why you shouldn’t upgrade. This, of course, is only the bare minimum to securing your site. All this work could be all for nothing if the default admin credentials are used, so besides installing software updates, double-check for:

  • Use a strong password
  • Add multi-factor authentication
  • Manage your admin panel

Fix common web server misconfigurations

If you’re responsible for maintaining the web server yourself, be sure to also check and fix any weak configurations. Leaving unnecessary default or sample configuration files, scripts, and webpages on your web server is dangerous because attackers can use these assets to gain more privileged access throughout your site. Failure to lock down these easy-to-fix misconfigurations is like leaving your door wide-open for an attacker to walk in. 

For example, Detectify Crowdsource recently identified several common misconfigurations for Nginx, one of the most popular web servers for high-traffic websites, including thousands of eCommerce sites worldwide.

Scan for vulnerabilities

If you don’t have time to manually check for misconfigurations and other vulnerabilities on your website before Black Friday, Detectify can help you discover and fix the latest vulnerabilities with research sourced by Detectify Crowdsource, an exclusive global network of top-ranked security researchers. You can check for vulnerabilities that target common CMS tools such as WordPress, Drupal, Joomla!, Magento, and more.

detectify scan findings

You own more assets than you sell

Besides scanning for vulnerabilities on the assets you know you have, you should take account of your entire attack surface by getting a complete picture of all the assets and entry points on your website. After all, how can you protect something that you didn’t know you even had?

For example, you may have a subdomain that you created to point to third-party services for tracking a seasonal campaign. Once the campaign is over, you might forget about the subdomain and the third-party connection. When an attacker takes over your unused subdomain, they can effectively hijack any subdomain they want without your knowledge.

Asset Monitoring from Detectify identifies additional assets and entry points that you might not even be aware of. These could include the following:

  • Sensitive file exposure
  • Secrets exposed in page responses, including API keys & passwords
  • Single request/response tests for XSS, SSRF, and RCE vulnerabilities
  • Path traversal
  • Exposure of data through internal software (e.g., monitoring)

Imagine if you left the side door to your attached garage unlocked because you hardly ever used it. Even if an intruder cannot get into your house from the garage, they could still make off with other valuables (like your car!). And of course, it happens on that one day you forgot to check!

Similarly, you own more assets than the products you sell in your web store. All of the web assets that make up your online store and keep it running are just as crucial to your business’s success as the items in your shoppers’ carts and need to be secured. 

To learn more about how Asset Monitoring can help you keep cybercriminals from crashing your holiday doorbusters this winter, book a free demo.

Now you’re ready to #SellSafe

Keeping your eCommerce website up and running during the busy holiday shopping season is stressful enough already. The coming spike in traffic to your virtual storefront can be a boon for business but also a curse if you aren’t prepared. With cybercriminals taking advantage of distracted shoppers and retailers alike, it’s important to “winterize” your site by upgrading your software, installing security patches, fixing common misconfigurations, and detecting and fixing vulnerabilities across your entire attack surface.

Running a vulnerability scan is like automated winterization for your eCommerce website and can help you quickly find and remediate over 2,000 vulnerabilities before an attacker can exploit them. In the spirit of Black Friday and the holiday season, we’re also eager to offer you a deal if you’re ready to give Detectify a try today.