Keep Your B2C Commerce Platform Secure During Peak Shopping Seasons

During busy seasons, you can expect a surge in online shoppers. Be sure to keep an eye out for signs of suspicious activity as web traffic increases. Improve the security of your B2C Commerce Platform to handle unusual spikes while providing a seamless user experience.
Keep Your B2C Commerce Platform Secure During Peak Shopping Seasons

The cyclical upticks in online shopping happen every year -- beginning with a surge around Valentine's Day in February and often peaking late in the year in November and December. As legitimate shopper traffic increases, internal security teams should be vigilant about the additional shadowing traffic that tends to accompany it. 

Almost every Cloud-SaaS platform provides security event logging for their customers. It’s important to pay attention to those logs, now more than ever. Event logs provide insight into what is currently happening in your Storefront, including whether there might be ongoing fraudulent attempts. If you’re a B2C Commerce Cloud customer, these security logs are located in your WebDAV folder and contain the authentication logs for both your BusinessManager (internal) and your Storefront (external) users. Storefront is your shoppers’ online experience, and where anyone can register as a new user. Not all Storefronts require shoppers to authenticate before making a purchase. However, authentication is encouraged in case shoppers want to  add  items into their carts and return later to finish the payment process.

Pay Attention to Suspicious Traffic

During peak online shopping seasons, you might encounter increased traffic from genuine shoppers mixed with malicious traffic. If you notice an uptick in traffic, it’s a good idea to check your security logs for any irregularities. Security logs are stored in the following path: 

https://<instance name>.demandware.net/on/demandware.servlet/webdav/Sites/Securitylog

These logs can be accessed either using WebDAV, or simply by downloading them via Business Manager. Below are a few examples of security log entries: 

[2023-09-06 03:00:00.490 GMT] [DW-SEC] : User: 'mxxxx@gmail.com' (Customer-Sites-SOME_CUSTOMER_US), IP: 20X.LLL.MMM.NNN [CUSTOMER_NOT_FOUND] : authentication failed for login [mxxxx@gmail.com@gmail.com], loginType=Storefront, IP address=20X.LLL.MMM.NNN, status=failed, browser=[App com.customer.us.app v1.0.1 (android/26)], Accept-Language=en_US, reason=CUSTOMER_NOT_FOUND, sessionId=<unique_session_id_here>

[2023-09-06 03:00:00.490 GMT] [DW-SEC] : User: 'jxxxx@icloud.com' (Customer-Sites-SOME_CUSTOMER_US), IP: 20X.LLL.MMM.NNN [CUSTOMER_NOT_FOUND] : authentication failed for login ['jxxxx@icloud.com], loginType=Storefront, IP address=20X.LLL.MMM.ZZZ status=failed, browser=[App com.customer.us.app v1.0.1 (android/25)], Accept-Language=en_US, reason=CUSTOMER_NOT_FOUND, sessionId=<unique_session_id_here>

[2023-09-06 03:00:00.500 GMT] [DW-SEC] : User: 'pyyyyy@yahoo.com' (Customer-Sites-SOME_CUSTOMER_US), IP: 20X.LLL.MMM.NNN [CUSTOMER_NOT_FOUND] : authentication failed for login ['pyyyyy@yahoo.com], loginType=Storefront, IP address=20X.LLL.MMM.VVV, status=failed, browser=[App com.customer.us.app v1.0.1 (android/42)], Accept-Language=en_US, reason=CUSTOMER_NOT_FOUND, sessionId=<unique_session_id_here>

The examples above show authentication attempts into the Storefront where the username results were CUSTOMER_NOT_FOUND; high frequencies of CUSTOMER_NOT_FOUND indicate that these user credentials may have been stolen from previous breach(es) of other websites. 

In the above examples, the attempts came from a specific IP address or multiple IP addresses from the same Autonomous System Numbers (ASN).  One possibility is that these were genuine Storefront login attempts by a shopper who mistakenly forgot their username, but further analysis is needed to confirm. As you begin to analyze the logs, patterns will start to become apparent. 

Every security analyst should ask themselves the following questions when examining these types of security logs: 

  • Is this amount of traffic considered normal when compared to your typical traffic metrics? Take this hypothetical scenario for example: Does it make sense for your organization to have daily traffic of 10,000 hits during peak hours, and for 10% of that traffic to result in CUSTOMER_NOT_FOUND

  • Did the traffic come from the same source (IP addresses, same ASNs), or from a country that your store doesn’t deliver to?

  • Did the events come from web browser versions that are out of date or not typically used anymore? 

    • For example, the user agent Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) might have been a common user agent back in 2015 when Windows 7 was a common web browser, but is not commonly used in 2024.

If you determine that your log activity does not align with typical patterns or expected activity, the next thing to look for are successful authentication attempts from suspicious sources. Many users tend to reuse the same username and password combinations for different sites, making their accounts vulnerable to threat actors who can test the leaked credentials against multiple sites to see if the same combination works. If you suspect a bad actor has gained access to a user account, the quickest containment step for the short term would be to initiate a password reset for that account. If you are worried about having to perform the password resets one-by-one, the following two endpoints can be used via OCAPI to perform bulk password resets: 

https://hostname:port/dw/shop/v18_1/customers/password_reset
https://hostname:port/dw/shop/v18_1/customers/{customer_id}/password_reset

Protect Against Account Access Attacks

Bad actors commonly use automations to test millions of username and password combinations with the goal of gaining access to a user account (this is called Credential Stuffing). What’s the best way to protect against these attacks in the long term? To carry out this type of attack, threat actors need time -- and the best way to counteract this attack is by forcing them to slow down. 

Salesforce B2C Commerce Cloud comes with built-in Content Delivery Network (eCDN) with Web Application Firewall (WAF) and rate-limiting capabilities where the store admin can activate the features themselves if needed. By configuring the sensitivity level, the built-in WAF can perform additional challenges in the form of CAPTCHA to ensure that the visitor is human. There are also other third party solution partners available from the B2C Marketplace like Perimeter-X and Datadome. Read about Bot Management here.

Some organizations might be concerned about negatively impacting the user experience when implementing strong password requirements and additional CAPTCHA challenges. While the use of these features can help close security gaps, they do require the user to spend slightly more time in the login process. Nonetheless, the benefit of preventing malicious attacks is well worth it in the long run. 

Following the above steps to proactively secure your eCommerce platform ahead of peak shopping periods will save you and your organization time, money and energy. Happy analyzing!

Additional References : 



Recommended Stories