E-Commerce Emilee King

Introduction

• Ecommerce.About.com defines e-commerce or electronic commerce as “Transacting or facilitating business on the Internet.

• Growing use due to convince and cost differences both for customers and business owners.

• According to Prosper Insights & Analytics, 34% of Americans say that they completed 50% or more of their shopping online—that’s a 99% increase from the 2006 shopping season.

Web Spoofing

• Web spoofing is where a person makes a web site that looks like the site that the user believes that they are visiting; so the user will give the hoax website all of their information thinking it is the site that they wanted to go to.

• Most of these websites rely on the user accidentally mistyping in the address of the website they wanted to go to, or are a result from the hacker sending fake emails saying the user needs to reset their password or verify their information.

Ebay’s Problem with Web Spoofing

• Classified ads are being exploited on eBay by modifying the listings with JavaScript Redirects and proxies.

• JavaScript embedded within the item's description will automatically redirect the victim's browser to the attacker's website.

• The victim is completely unaware and usually gives the scammer money.

How is EBay Handling This..?

• Essentially, they aren’t.

• Since the scams are happening in the classified section, the buyers and sellers are not protected by Ebay.

• EBay put a new clause in their terms in conditions that users are not allowed to use javascript in their listings. So a user gets banned if they are caught.

• Since the scammers use compromised accounts, Ebay ends up banning someone who just got their password stolen.

How Easy Is This To Fix?

• Pretty darn easy.

• Seriously, just Google “How to secure an iFrame”

• Ebay would just append their terms and conditions rather than fix the problem.

Denial of Service Attacks

• Standard DDoS attacks

• Smokescreen DDoS attacks

• New Amplified DDoS attacks

Standard DDoS Attacks

• E-commerce sites are hurt by DDoS attacks by loss of revenue, damaging the company’s brand image, and the company’s relationship with its customers.

• Attackers tell botnets to contact a specific server or Web site repeatedly.

• This can generate enough traffic to slow the site or in some cases take the site offline.

Amazon and DDoS

• 2009 major e-commerce sites such as Wal-Mart and Amazon were a target of a DDoS attack that took down their site for an hour.

• It’s just an hour right? How much can a business lose for not selling things for an hour?

• When Amazon went down for just 40 minutes last year Forbes estimated the online retail giant lost $66,240 dollars per minute, totaling nearly $2 million dollars.

Amazon’s Solution

• Elastic Infrastructure or EC2

• Designed to automatically scale to handle giant traffic spikes.

• Proven effective when hacktivist group Anonymous tried a DDoS attack after Amazon stopped hosting WikiLeaks after US documents were leaked.

Smoke Screen DDoS

• Shorter but more intense attacks, this attack does not have the intention of taking a site down.

• While IT staff is distracted trying to take care of a DDoS attack, they are not monitoring everything else for a breach. So criminals come in and steal private data, intellectual property, and in some cases deleted information off of organizations’ servers.

• In one case, crooks used DDoS to help steal bank customers’ credentials and drain $9 million from ATMs in just 48 hours .

New Amplified Attacks

• http://youtu.be/BcDZS7iYNsA?t=5m40s

• CloudFlare’s data centers were recently attacked, and reached bandwidths of 400 gigabits per second.

Why This Matters

• E-Commerce is now a common practice and it’s not going to go away.

• We need to be able to build secure sites or fix them to avoid Ebays problem, or work on solutions like EC2.

References

• Clay, K. (2013, August 19). Amazon.com Goes Down, Loses $66,240 Per Minute. Retrieved from Forbes: http://www.forbes.com/sites/kellyclay/2013/08/19/amazon-com-goes-down-loses-66240-per-minute/

• Drenik, G. (2014, February 03). Year Of Reckoning For Brick And Mortar Retailers. Retrieved from Forbes: http://www.forbes.com/sites/prospernow/2014/02/03/year-of-reckoning-for-brick-and-mortar-retailers/

• Invesp. (2011, July 18). How Big Is E-commerce Industry. Retrieved from Invespsoft: http://www.invespsoft.com/blog/ecommerce/how-big-is-ecommerce-industry.html

• Lemos, R. (2013, September 9). Countering Attacks Hiding In Denial-Of-Service Smokescreens. Retrieved from Dark Reading: http://www.darkreading.com/analytics/threat-intelligence/countering-attacks-hiding-in-denial-of-service-smokescreens/d/d-id/1140474?

• Mello, J. J. (2014, February 12). Hackers Perfectly Time Largest DDoS Attack Ever. Retrieved from E Commerce Times: http://www.ecommercetimes.com/story/79965.html

• Mutton, P. (2014, April 28). Fraudsters modify eBay listings with JavaScript redirects and proxies. Retrieved from NetCraft: http://news.netcraft.com/archives/2014/04/28/fraudsters-modify-ebay-listings-with-javascript-redirects-and-proxies.html

• Neustar . (2014, April 28). Smokescreening: Data Theft Makes DDoS More Dangerous. Retrieved from CircleID: http://www.circleid.com/posts/20140428_smokescreening_data_theft_makes_ddos_more_dangerous/

• Time. (1999, December 27). 1999 Person of the Year. Retrieved from Time.com: http://web.archive.org/web/20000408032804/http://www.time.com/time/poy/bezos5.html