December 22, 2021 By David Bisson 2 min read

The number of malicious shopping-related websites increased 178% ahead of the 2021 holiday shopping season, according to Check Point Research. See how to recognize and prevent e-commerce fraud.

A spike in e-commerce fraud websites

Beginning in October, Check Point Research observed an average of 5,300 malicious e-commerce fraud websites emerge each week. That marks a rise of 178% compared to the average for the rest of the year.

The impact of those websites also began to pick up in that period. Earlier in the year, the sites affected one of 352 corporate networks. That impact rose to one in 47 in October. At the beginning of November, it was one in 38.

Those websites involved various types of malicious activity. In one attack campaign, for instance, Check Point Research witnessed malicious actors send out emails advertising “Cheap HandBags” and “Up to 80% OFF Michael Kors HandBags”. Those e-commerce fraud emails contained a link to similar websites hosted on or around Oct. 19.

Another attack campaign sent out a fake “Urgent notice” from an online retailer. The email informed the recipient that the online retailer had failed to renew their account. It contained a link that redirected recipients to a website designed to steal their account credentials.

What e-commerce attacks mean for security

Over the course of 2021, Imperva observed that bot attacks on retail websites increased 13% compared to the same months in the previous year.

Over half (57%) of those attacks on e-commerce websites involved bots, the security firm found. By comparison, bots were behind just a third of attacks on the sites of other industries in 2021.

Bots weren’t the only drivers of e-commerce fraud in 2021, either. At the beginning of December, for instance, Bleeping Computer reported that attackers were using a threat called NginRAT to target the remote access capabilities provided by Nginx servers and to conduct server-side attacks for the purpose of stealing users’ payment card data.

NginRAT appeared on e-commerce servers in North America and Europe that digital attackers had previously infected with CronRAT.

Looking ahead, the rest of the 2021 holiday season isn’t expected to improve for shopping-related websites. Per Zscaler, security researchers estimate that HTTPS threats on e-commerce platforms will grow 314% through the rest of the year.

How to defend against e-commerce fraud this holiday season

In response to the attacks discussed above, organizations can use security awareness training to educate employees about potentially malicious e-commerce websites.

Teams can focus on cultivating their employees’ suspicions of lookalike domains pretending to be retailer websites, holiday shopping offers that appear too good to be true and password reset emails that arise out of nowhere.

In addition, adopt a multifaceted approach to endpoint security that monitors for inappropriate device behavior and controls access to resources. Such methodology can help you quickly respond to instances of malicious e-commerce sites carrying ransomware or other types of digital threats.

More from News

Insights from CISA’s red team findings and the evolution of EDR

3 min read - A recent CISA red team assessment of a United States critical infrastructure organization revealed systemic vulnerabilities in modern cybersecurity. Among the most pressing issues was a heavy reliance on endpoint detection and response (EDR) solutions, paired with a lack of network-level protections. These findings underscore a familiar challenge: Why do organizations place so much trust in EDR alone, and what must change to address its shortcomings? EDR’s double-edged sword A cornerstone of cyber resilience strategy, EDR solutions are prized for…

DHS: Guidance for AI in critical infrastructure

4 min read - At the end of 2024, we've reached a moment in artificial intelligence (AI) development where government involvement can help shape the trajectory of this extremely pervasive technology. In the most recent example, the Department of Homeland Security (DHS) has released what it calls a "first-of-its-kind" framework designed to ensure the safe and secure deployment of AI across critical infrastructure sectors. The framework could be the catalyst for what could become a comprehensive set of regulatory measures, as it brings into…

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today