Security Solutions
4 mins
With the shift toward online shopping, accelerated by COVID, businesses in the retail sector have embraced e-commerce platforms, online shopping tools, and built dedicated apps. This expanded attack surface can create cybersecurity challenges that put retail businesses at risk.
Leroy Merlin, a leading home improvement and gardening retailer based in Europe, wanted to keep their customers’ Personally Identifiable Information (PII) secure, prevent online fraud, and mitigate supply chain attacks. Hadrian’s External Attack Surface Management (EASM) solution discovered previously unknown risks before they could be exploited, preventing a damaging attack from being executed.
Cybersecurity Challenges in the Retail Sector
Retail has become the number one target for cybercriminals, experiencing more breaches than any other business sector in 2019. It is no surprise that nearly a quarter of all cyberattacks target retailers, including:
- Data Breaches: Retail and e-commerce businesses often possess sensitive customer data, making them attractive targets for cybercriminals. Data breaches can lead to financial loss, customer distrust, and regulatory fines.
- Payment Fraud: With the rise of online shopping, payment fraud is a significant concern. Fraudsters are becoming increasingly adept at discovering loopholes in payment systems to commit fraudulent transactions.
- Supply Chain Attacks: Cyber attackers have been exploiting vulnerabilities in the retail supply chain to gain unauthorized access to systems or data. This often goes unnoticed until significant damage is done.
It is no surprise that 62% of consumers say they are not confident about the security of their data with retailers. Further, 25% say that they know their data is not safe with retailers. Therefore, avoiding breaches and building consumer confidence in the security of retailers’ digital platforms is a must.
Forgotten Administrator Pages
A common risk that Hadrian has observed in e-commerce stores is the presence of exposed administrator pages. Admin pages manage settings, content, and functions of the online store, including providing access to customer account information. Administrator pages that have been left open by the developers create an attack vector for threat actors to exploit.
Forced browsing techniques can be utilized to find hidden and often forgotten administrator pages and it is one of the most commonly used techniques bad actors use when attacking e-commerce sites. To emulates this malicious activity and find hidden administrator pages before they are exploited, Hadrian has developed a “hacker module” that runs continuously.
Preventing a breach
During the investigation of Leroy Merlin’s attack surface, the forced browsing hacker module discovered an administrator page. Hadrian’s platform then automatically attempted to exploit the page by deploying follow-up tests. One of the tests was a head dump, which allowed Hadrian to exfiltrate a snapshot of the application’s entire memory, including cookies containing customer information.
The cookies could be hijacked and used to login into their accounts giving the hacker access to company and customer information, and the ability to perform fraudulent transactions. The business risk posed by this exploit is significant as it could damage consumer trust, resulting in regulatory fines, and downtime for the business. However, thanks to Hadrian’s proactive offensive security it was able to be remediated before 3rd parties had discovered it.
Continuous Autonomous Red Teaming
Forced browsing and head dumps are typically carried out by penetration testers and red teams on an annual or quarterly schedule. Yet, the digital attack surface of many retail and e-commerce businesses is undergoing frequent changes - weekly or even daily. This constant shift can result in risks remaining hidden and unaddressed for prolonged periods.
Hadrian's platform offers a unique solution to this challenge. Our platform is designed to provide continuous monitoring of your organization's attack surface. We not only identify risks but also prioritize their remediation, ensuring your digital domain remains secure against threats. To learn more read the full case study below.
