How to Improve Ecommerce Security and Reduce Operational Costs

It is not unrealistic to claim that the retail sector’s digitalization rate is at its peak as we stroll through 2024. And with digitalization at its peak, online businesses face a relentless increase in security risks. From malicious bots to advanced cyber attacks, robust protective ecommerce security measures have become essential. 

In this article, I explore the crucial nature of securing your ecommerce systems and showcase how implementing effective ecommerce security solutions not only enhances protection for your ecommerce websites but also lowers your overall operational costs.

The biggest ecommerce security challenges in 2024

To properly appreciate how important ecommerce security is, you first need to understand the real-life security challenges that come with building and maintaining an efficient ecommerce system. Speaking from direct experience, at ScaleCommerce, we’ve identified several key challenges that not only affect us but also our current customers as well. 

Let’s take a closer look. 

Bot traffic and scraping

Bots target the content of your e-commerce website and can extract important information, skew data analysis, and put too much strain on servers. This can result in higher running costs and worse system performance.

Specifically, catalog stealing is dumping a website’s content to snatch all the items, pictures, descriptions, translations, and short, medium, and long descriptions to spare considerable time & money. Curating a large catalog like the ones you would find in a hardware store, lightning fixture shop, or even an electronic component shop costs tens of thousands to millions of dollars, so someone might try to avoid these costs or this amount of workload by stealing product descriptions from existing ecommerce sites. 

Scrapping and catalog stealing are very visible in the logs as one or many IP addresses will be sucking out all the website content, page by page, including all pictures, texts, PDFs, etc., and quickly. This is not a regular user behavior and can be easily detected and stopped but more on that later.

Another unwanted bot or bad user behavior is price monitoring. During heightened competition times, like season openings, Christmas periods, black Fridays, and the like, it’s quite common to have competitor monitoring your prices and adjusting their own dynamically based on yours. Price monitoring can be detected by simply looking if some specific pages kept on being often reloaded by the same IP addresses at regular intervals.

Distributed Denial of Service (DDoS) attacks

Distributed Denial of Service (DDoS) attacks can cripple ecommerce websites, leading to significant downtime, loss of revenue, and reputational damage.

But here, we need to be precise with what we put behind the big DDoS scarecrow. There are two main families of DDoS we can distinguish from one another. The first method is for a malicious actor to harass your server’s network connection with a packet storm. 

Whether it’s a botnet behind (machines being puppetted by a cybercriminal) or a Reflected DDoS harnessing vulnerabilities in UDP-based protocols (DrDOS), the result is the same —  an unreasonable amount of network traffic is flooding your machine. MSPs and cloud providers can usually solve this for you at a high cost. CDNs like Cloudflare or Akamai are also very good at tanking them, and some specific cloud offers can stop them, here again at a cost.

The second type of DDoS is called L7 or Applicative DDoS (Layer 7 being the application layer). The principle is to put the infrastructure to its knees by hitting a weak link. A pragmatic, classical example of this is the database. If you reload and hammer a page that triggers a database query by multiplying those requests, you’ll eventually cripple the database performance and take the whole site down. The same is true for PHP or Python interpreters. If you can solicit them enough, they will eventually consume too much CPU or RAM and the site will become unresponsive. 

The key behind those attacks is to avoid classical caching mechanisms and trigger an interpretation every time. This can be remediated by identifying the page or element that is heavily impacting the performance and the IP addresses that are hammering it. 

SQL injections and other exploits

You must be aware that an unauthorized user with the right expertise can use a vulnerability in a web application to obtain access to a database without system admins ever knowing it, putting them at risk of having their data stolen. 

Among the countless web attacks, SQL injection is a technique most exploited by criminals who insert malicious SQL code into an input field or the URL. So, for example, an attacker can simply inject harmful code in the search bar of an ecommerce website that contains a virus, as well as other harmful software that will be executed along with it when the virus runs.

Going down the retailer nightmare museum, I must point out scans and vulnerability exploitations. Scans and exploitation attempts are the two faces of the same coin since the first usually looks for known vulnerabilities using a tool, and the second one is often more manual, looking for logic or configuration faults. Yet, both aim to compromise your site or the visitors browsing it. 

The scans will be the easiest to detect since they tend to trigger a lot of 404, 403, and 50x HTTP error codes. Those are obvious trails of someone trying to profile your web stack to identify and exploit vulnerabilities.

Fake registration and mass generation of fake accounts

This challenge is pretty self-explanatory, I would say. Fake registrations and mass-generated fake accounts distort user data, overwhelm resources, and facilitate fraudulent activities. 

These fake accounts can lead to inaccurate analytics, excessive use of server resources, and serve as a platform for further malicious activities such as spamming or launching coordinated attacks on the system.

Finding solutions to the challenges

To fight these issues and improve ecommerce security, online stores should use top-notch security tools like Cloudflare, Akamai, Datadome, and Custom Security Solutions. These tools provide different features to protect against DDoS attacks, manage bots, and safeguard web applications. 

However, I would recommend exploring what CrowdSec has to offer for ecommerce security — trust me, you’ll be impressed! CrowdSec stands out from these options because of its unique way of spotting and stopping threats, using a community-driven approach to gather information about security threats, which helps to find and block new dangers as they happen. Also, because it’s open source, people can always make it better and adapt it to new situations.

At ScaleCommerce, we use CrowdSec’s WAF and Blocklists to strengthen our defenses. The CrowdSec WAF guards our web applications from various attacks, like SQL injection and Cross-Site Scripting (XSS). The Blocklists keep up-to-date lists of known malicious IPs stopping them from reaching our site. This two-pronged approach boosts our ecommerce security posture and improves our site performance by cutting down on malicious traffic, which in turn lowers our operating costs.

CrowdSec’s method combines community-driven intelligence with strong security measures. By getting threat data from the crowd, CrowdSec makes sure businesses are safe from the newest threats. Plus, its solutions are budget-friendly bringing high-level ecommerce security within reach for companies of all sizes.

Putting theory into practice

If you won’t take my word for it, let me share with you a real-life example from a ScaleCommerce Proof of Concept (POC).

Scenario 1: Impact of bot traffic on an online shop without CrowdSec

For one of our POCs, we showcased a demo shop that was subjected to intense bot traffic without any security measures. The bots targeted both the shop and its database, leading to constant CPU/Memory spikes and high operational costs. 

On average, the shop experienced about 3,000 bot requests per minute (!), overwhelming the server and causing performance degradation. This unfiltered traffic resulted in significant strain on resources, increasing the risk of downtime and data breaches.

Scenario 2: Impact of bot traffic on an online shop with CrowdSec enabled

Now, running this same POC but with the demo shop now protected by CrowdSec, we saw a dramatic reduction in CPU/Memory usage by at least 50%! CrowdSec was able to block approximately 95% of malicious bot traffic, reducing the number of bot requests to around 150 per minute. 

This substantial decrease in unwanted traffic showcased CrowdSec’s effectiveness in reducing operational strain and enhancing ecommerce security. The result was an overall decrease in operational costs and more stable performance, proving the value of the CrowdSec Security Stack.

And if you’re curious to learn how we did it, for this particular POC we did a default test with the standard CrowdSec setup. You can check out the official documentation for a quick getting started guide. 

Long story short, we installed the CrowdSec Security Engine and installed a few default scenarios. You can explore the full list of CrowdSec scenarios on the CrowdSec Hub. 

To keep it simple in this article, here is a list of scenarios I believe are essential for ecommerce security. 

• HTTP bad user-agent: Detect known bad user-agents.
• HTTP crawl non-statics: Detect crawl (HTTP GET/HEAD) on non-static (JPG,CSS, JS, etc.) HTTP pages from a single IP.
• Ban defcon drop range: Ban a range if more than five IPs from said range are banned less than one minute apart.
• HTTP-backdoor attempts: Detect attempts to access common backdoors such as c99.php.
• HTTP DoS switching user-agents: Detect specific DoS tools that issue a high number of requests, while changing the User-Agent in every request.
• HTTP generic brute force: Get alerts when a single IP tries to brute force HTTP basic auth.
• HTTP path traversal probing: Detects path traversal probing attempts with the presence of specific path manipulation patterns in the URI or the GET parameter such as ../, %2Fetc%2Fpasswd, etc.
• HTTP sensitive files: Detect tentative of dangerous file scanning such as logs file, database backup, zip archive, etc.
• CDN whitelist: Whitelist overflows triggered on an IP in the lists here.

On top of these scenarios, for our POC, we added a custom scenario to limit requests per IP pro URL. If an IP exceeds the limit, the scenario triggers CrowdSec to block these requests. Check this custom scenario below. 

---
type: leaky
format: 2.0
name: poc-test/intensive-crawling
description: "Detect aggressive crawling and potential DDoS attacks"
filter: >
  evt.Meta.log_type in ['http_access-log', 'http_error-log'] &&
  evt.Parsed.static_ressource == 'false' &&
  evt.Parsed.verb in ['GET', 'HEAD']
distinct: "evt.Parsed.file_name"
groupby: "evt.Meta.source_ip + '/' + evt.Parsed.target_fqdn"
cache_size: 5
capacity: 70
leakspeed: 1s
blackhole: 1m
labels:
  confidence: 1
  spoofable: 0
  classification:
    - attack.T1595
  behavior: "http:crawl"
  service: http
  label: "Aggressive Crawl"
  remediation: true

Ecommerce security is critical

Securing ecommerce websites is crucial in today’s threat landscape. At ScaleCommerce, we demonstrate the tangible benefits of implementing effective ecommerce security solutions like CrowdSec through our POC.

If you manage and maintain an ecommerce system, you can address all the big ecommerce security challenges I mentioned before with CrowdSec’s IDPS, WAF, and Blocklists. Speaking from experience, the benefits are clear: reduced operational costs, improved performance, and a fortified security framework. Our POC at ScaleCommerce confirmed that using a bot protection tool like CrowdSec can substantially lower CPU usage, further reducing costs and enhancing site performance.

If you want to learn more about how this works, I recommend you check out the free and hands-on course at the CrowdSec Academy and learn everything you need to know to secure your ecommerce website.