An eCommerce Website Threat Checklist
Attacker Motivation
In coming up with this checklist, I found it helpful to consider possible attacker motives. The type of things an attacker is likely to do and the amount of effort they put in will depend on their motives. The main motives I've observed fall in to a few major categories:
- Direct monetary gain, by stealing information, money, products or services
- Indirect monetary gain, by using the site as a "stepping stone" to steal information, money, products or services from someone else.
- Indirect monetary gain, by attempting to drive a competitor out of business.
- Revenge or hatred for real or perceived wrongs.
There is one other very interesting and ironic motivation I've encountered: the wish to help the website financially using other people's money. I've seen this as:
- Generating clicks on advertisements placed on the website with the intention of earning the site additional advertising revenue. (This can backfire badly as the advertiser or advertising network may drop the website because the clicks are perceived to be of low value, or because the clicks are assumed to be a crude attempt at fraud by the website owner).
- Donating to the website using stolen credit card details. (This will generate substantial charge-back costs when the credit card owner notices the transaction and disputes the charge, as well as the loss of payment processing if the fraud rate is too high.)
In practice, it's not possible to separate this motivation from (3) or (4) above.
Note that although this list concentrates on website issues, the method of attack is not necessarily web-based. e.g. it may involve phishing emails or social engineering.
Compromise of a customer's credentials
If a website has customer accounts, some of them will be compromised. Then it is possible to:
- Place orders for delivery elsewhere (theft)
- Place orders as a nuisance to the customer (e.g. order a truck full of sand to be deposited on driveway)
- Use information to impersonate user elsewhere (e.g. last 4 digits of credit card)
- Maliciously change password, email address, etc.
- Maliciously close account
Compromised third party vendor's credentials
If a website has third party vendors, their accounts may be compromised. Then it is possible to:
- Remove or modify product listings
- Modify product pricing
- Modify vendor details to change payment information (steal payments)
- Maliciously change password, email address, etc.
- Maliciously close account
In addition, an improperly vetted third party vendor has the ability to destroy the reputation of the website owner by failing to deliver products in a timely manner, or at all.
Compromised affiliate credentials
If a website has an affiliate advertising system, it's open to attack:
- Modify payment details (steal affiliate payments)
- Place orders with stolen credit card or customer data to generate affiliate payments (fraud)
- Surreptitiously place affiliate cookies on customer's browsers to generate affiliate payments for purchases for which the affiliate was not responsible. (fraud)
Compromised website code
The classic website hack involves obtaining the ability to read or modify the website's code or databases.
- Modify site to steal credit card information
- Modify site to redirect users elsewhere (typically to install malware)
- Modify site to steal advertising revenue
- Steal customer credit card data
- Steal customer email addresses, usernames, and passwords
- Modify prices to allow customers to buy stuff cheaper
- Modify delivery addresses to deliver products to other address
- Modify logic to allow credit card payments without payment authorization
- Corrupt site operation to cause orders to be deliberately lost
- Use authorization logic to vet stolen credit card data
- Delete code, databases, backups etc. out of malice
- Place a new page on the website (sometimes to make a point about a perceived wrong, but often just to show off.
Denial of Service Attacks
These attempt to overload either systems or people to prevent normal operations taking place, or serve as a distraction while other attacks are taking place.
- DDoS attacks against the website or its infrastructure to overload resources and prevent their use.
- Create fake customers and fake orders to make it difficult to distinguish between valid and invalid orders
- Bombard customer service email addresses with fake emails to make it difficult to distinguish real customer inquiries from fake ones.
- Bombard customer service phone numbers with fake phone calls to prevent customer service representatives from answering real customers.
- Forge emails to suppliers with requests to terminate accounts, etc.
- Forge spam emails which appear to come from the website in order to generate complaints and problems with mail handling.
Financial attacks
These attacks are, with a few exceptions, an attempt to drive up the cost of running the website
- Click on ads (placed on site) to destroy relationship with advertisers
- Click on ads (placed by site) to drive up advertising costs
- Use stolen credit card data to place orders and generate charge-back costs.
- Use stolen credit cards to give donations and generate charge-back costs. (This may either be an attempt to test the validity of stolen credit card data or an attempt to give stolen money to the website. Unfortunately the effect is the same).
- Conduct denial of service attacks to force the website to use more expensive infrastructure than would otherwise be required.
- Release customer data to trigger legislative fines in certain jurisdictions.
Reputation Attacks
These attempt to destroy relationships with customers, vendors, legislators, and the public at large.
- Issue DMCA take-down requests alleging copyright infringement with hosting companies in an attempt to cause a shutdown or loss of a vendor relationship.
- Malicious posting in online forums alleging poor customer service or questionable behavior to try and eliminate customers.
- Malicious posting of customer reviews alleging poor products.
- Post spam email which appears to originate from the website.
- Release customer data in order to destroy trust in the website and in its owner's ability to keep information confidential.
Insider Attacks
Insiders obviously have a better knowledge of how systems work than outsiders, and are capable of carrying out or assisting in any of the other attacks. They may also have privileged access which may allow them to:
- Sell customer lists (e.g. to competitors)
- Sell lists of customers who purchased specific items. (e.g. to competitors, but also to sellers of complimentary products).
- Sell personal details of customers (e.g. celebrities, blackmail targets, etc.)
What's Missing?
What have I missed? Please let me know and I'll add it to the list.