Online Shopping Phenomenon and the Risks Involved

Black Friday sale is a big deal for the U.S. consumers, to a point that they spent tens of billions of dollars just in one day Pre-Christmas. This phenomenon for the lack of better term has enhanced the utilization of e-commerce compared to brick and mortar stores, the later declining due to the convenience of the former. E-commerce is great for online shopping stores, especially giant retail online stores such as Amazon. They get record number of sales in this special Monday compared to other days of the year, except for the Christmas buying rush. However, convenience is a natural enemy of security. As we improve online shopping, making it very convenient, it also poses a huge risk, as where the money goes, the criminals will follow.

It is known that cyber attacks today are no longer for that elusive 5 minutes of fame, and cyber attackers are less likely to target their victims just to vandalize their system. Money is the prime motivation for them to focus their attention against an individual, an organization or in the case of big shopping sprees, the shoppers themselves. The practicality of committing a real-world physical crime, like theft/shoplifting has subsided, due to the proliferation of CCTVs and IP cams in business establishments. The watchful eye of these cameras effectively deters any attempts of theft.

However, that is not the case for cybercrime. A simple script attached to a website can trigger execution of a malicious code in an unpatched web browser. This has been a problem since two decades ago, in the days of ActiveX controls and BHO’s (Browser Helper Objects) of the late 90s to early 2000s. That same issue exists today, with a different technology being exploited: Web Assembly. As defined by Mozilla, web assembly is “a new type of code that can be run in modern web browsers — it is a low-level assembly-like language with a compact binary format that runs with near-native performance and provides languages such as C/C++ with a compilation target so that they can run on the web. It is also designed to run alongside JavaScript, allowing both to work together.”

Malicious code is not the only risk on the Internet, equally dangerous is the growth of phishing. It is very easy to register a bogus domain name, build a genuinely looking website similar to a bank, but only collects username and password. With enough skill in social engineering, the threat actor can send the target victim an authentic-looking email, complete with logos and brand identity, duping the victims into the belief that the message came from a reputable source. A simple click on the link in the phishing email can trigger malware infection, taking advantage of the browser’s very powerful Web Assembly functionality.

The potential profitability of malware and other cyber attacks have been proven, hence it will continue indefinitely. It is like a virtual cat and mouse chase of our digital life, as vendors patch a certain vulnerability in their product, that same patch will be decompiled by cybercriminals. In turn, once they determine the weakness addressed by the patch, they will create a weaponized code that will, in turn, attack the unpatched systems. The cherry on top is the lack of sense of urgency on the part of many system administrators, as they delay installation of software and firmware patches for their hardware. One day of delay means another day for a chance to get hacked, infected with malware and becoming the next victim of ransomware.

The bottom line, cyber defense is the responsibility of everyone. From the end-user needing enough training, to make themselves aware of the risks, to the online shoppers to be alert of all transactions they make, to the system administrators that keep the systems working.