E-Commerce Security

Published on 02 Dec 2019

Updated on 02 Dec 2019

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.


Qoo10, Lazada, Carousell, eBay and Ezbuy. It is no surprise if these brands resonate with you; according to Statista, they are the five most visited e-commerce sites in Singapore in 2018. About 3.4 million Singaporeans shopped online in 2018, with electronics and media the leading product category. And by 2026, Singapore’s lucrative e-commerce is expected to grow to $7.5 billion, according to a joint-forecast by Google and Temasek.

However, e-commerce platforms have also become valuable targets for hackers, given that they hold rich amounts of customers’ credit card details and personal information. Major online marketplaces from eBay to Taobao have fallen victim to hackers who compromised client databases, obtaining millions of sensitive records. Since most online retailers transact directly through their own websites, the importance of having secure platforms cannot be overstated. From a business standpoint, e-commerce firms risk their reputation by not taking customer privacy seriously, and protect their platforms with adequate measures; equally important is the need to educate online buyers so that they do not get duped by hackers or cybercriminals.



Lax security exposes shoppers’ profiles and orders, putting them at risk

Hackers tend to go after low-hanging fruit, such as unsecured websites and database servers with easy-to-guess passwords. This was the case for Chinese e-commerce giant Gearbest, which in early-March 2019 was discovered to have used a completely unsecured server (without even a password) that exposed more than 1.5 million transactional records to the public. Payment information, products purchased, shipping addresses and customer personal information were among the data exposed. The open database also provided potential hackers with a constant supply of fresh, unencrypted sensitive data, allowing them to manipulate information to perform identity theft. The consequences of the breach proved to be especially severe for customers whom had purchased adult toys in Pakistan, as this was prohibited by law and punishable by death. This was not the first time Gearbest was breached; in December 2017 hundreds of accounts were exposed in a credential stuffing attack where stolen account credentials were used to gain authorised access.

Read more about the breach on the online Chinese shopping giant Gearbest below:

Third-party providers are potential weak links for e-commerce security

Magecart, a collective of at least seven cybercriminal groups, has gone from relative obscurity to orchestrating highly targeted credit card skimming attacks, hitting at least 800 e-commerce sites in the space of three years. Magecart targeted third-party software companies that build and provide code (JavaScript) that developers add in their website to improve user experience. By altering the code, it affected every website that the code ran on, stealing credit card information of millions of users and putting it up for sale on underground forums. Magecart also targeted other third-party providers of analytics services, website support and content delivery to e-commerce sites, circumventing the organisations’ website security by hacking these trusted third-party suppliers.

Stolen credentials are highly valued, since users often reuse the same password across multiple sites; hackers can utilise the same set of credentials to access several e-commerce sites and grab anything from airline points to expensive merchandise. According to a 2018 report by cybersecurity firm Shape Security, over 90 per cent of e-commerce sites global login traffic came from attempted credential stuffing attacks.

Read more about the mysterious MageCart skimmer group and how stolen personal data is big business for hackers below:

Rise of malicious advertisements and bots hijacking the online journey of shoppers

So you think all the web traffic to your site is from humans? According to a 2018 research by bot mitigation company Distil Networks, ‘bad bots’ (automated scripts and programs) accounted for 22.9 per cent of web traffic on e-commerce websites and nearly 40 per cent on ticketing websites. Bots can be programmed to perform a wide range of activities, including price scraping, brute-force password guessing attempts, holding items to create artificial scarcity, and distributed denial of service attacks, especially during peak shopping season on Black Friday and Cyber Monday to sabotage online retailers.

Read more about the impact of bad bots on e-commerce industry below:

Cybercriminals may also employ malvertising – malicious advertisements (ads) – to target online shoppers. These invasive ads could be injected within legitimate websites, interrupting online shoppers in the form of product and banner ads or pop-ups intended to divert them to competitors or fraudulent sites. Malvertising derails user experience, damages brand equity and drives potential customers away. It has since evolved through the use of steganography (a technique used by hackers to hide malicious code within images to evade security solutions) and cost the digital ad industry US$1.13 billion in lost advertising revenue in 2018, according to researchers from ad security provider GeoEdge

With malvertising quickly emerging as a popular means of monetisation for fraudsters, online retailers are taking action to wrestle back control of the customer journey. In September 2018, Amazon filed a lawsuit against a group of unidentified scammers that were allegedly deceiving consumers and eroding trust in its brand through a sophisticated and widespread malvertising campaign. According to Amazon, the scammers had intended to obtain personal information of consumers and generate revenue when consumers clicked on fraudulent Amazon ads unknowingly. The unusual lawsuit from Amazon, likely the first of its kind against malvertising, reflected its aggressive stance against fraudsters taking advantage of its brand and to safeguard its own growing advertising operations that had contributed to record profits in 2018.

Read more about the pesky malvertising problem plaguing the digital ad industry and the Amazon’s lawsuit below:


As more Singaporeans turn to online shopping, it is important to practise good cyber hygiene and take the necessary precautions to secure your online transactions. Here are five quick and easy-to-remember tips to make your shopping experience safer and more secure:-

  • Avoid public Wi-Fi and use secure websites “https://..”
  • Be vigilant against bogus sites, and offers that are too good to be true
  • Choose credit over debit cards and check your card statements regularly
  • Disable your browser’s autocomplete feature, don’t save your information
  • Enable 2FA for all online transactions


Visit the GoSafeOnline site for more information on how to protect yourself while shopping online.

SOURCES INCLUDE: CyberScoop, GeekWire, Quartz, TechCrunch, Tripwire and ZDNet