E-Commerce Sites Crippled by Hacker Sabotage

Just one day after a hacker attack on Yahoo! shut the giant portal down for several hours, several leading e-tail sites were similarly affected by what appears to be an orchestrated, Web-wide act of sabotage.

At last count Tuesday, Amazon.com, Buy.com and online auctioneer eBay had joined CNN.com as victims of the cyber-assault, bringing the total of high-profile crashes to five.

Monday’s orchestrated assaults on Yahoo! shut the site down for about three hours as a result of what company officials described as a coordinated attack from more than 50 Internet addresses.

Buy.Com Hit During IPO

On Tuesday, just a few hours after Buy.com made its Wall Street debut, the Internet’s number two e-tail site fell victim.

“We were hit with a coordinated denial-of service attack that appears to be very similar to what happened to Yahoo!,” Buy.com CEO Gregory J. Hawkins said in published reports. “It is like a revolving door spinning. A few people could get in and shop, but the majority of traffic was blocked by this attack.”

These offensives are of a genre known as “denial-of-service,” in which a Web site cannot function normally because its system is overloaded with data requests sent by the hacker.

While e-commerce companies often list “system failures” as possible risk factors in their registration filings with the Security and Exchange Commission (SEC), yesterday’s attack on Buy.com underscores the reality of such warnings.

Amazon and eBay Come Under Attack

Meanwhile, eBay officials said that its Web site came under a similar denial-of-service attack at around the end of the business day.

“We are still trying to isolate the problem,” eBay spokesman Kevin Pursglove said late last night in published reports. “Our engineers are still investigating.”

Two hours later, Amazon also came under assault. According to spokesman Bill Curry, the attack occurred several hours after the eBay incident — but service was back to normal within an hour.

CNN said its Web site was “seriously affected.” It fell under attack for nearly two hours before technicians were able to shield its computers from the hackers late Tuesday night.

No Claim of Responsibility

While the attacks have attracted worldwide media attention, no one person or group has claimed responsibility as of yet. Moreover, as of late Tuesday, its not certain why the companies were targeted.

In any event, the attacks dispel the notion that hackers are just rummaging around the Net without doing any real damage. Whoever is perpetrating the attacks — and it could well be more than one person — seems far closer to being a terrorist or saboteur than a hacker.

A spokeswoman for the Federal Bureau of Investigation (FBI) said that while the bureau’s computer-intrusion squad in San Francisco, California is talking to Yahoo!, it has not yet opened a formal criminal investigation.

E-tailers Extremely Vulnerable

In the wake of these incidents, many interested parties are coming to the disturbing realization that the current state of the Internet is such that hackers can wreak system-wide havoc upon virtually any Web site, and certainly upon the vast majority of e-commerce sites.

Yesterday, Yahoo! moved quickly to recover by trying to identify the culprits while taking measures to protect itself against a repeat occurrence.

Like all Web sites, e-commerce stores are highly vulnerable to denial of service attacks. However, unlike many other Web sites, continuous Web service is crucial to online merchants’ ability to conduct business.

Furthermore, an e-tailer’s reputation for security can be severely tarnished by a hacker attack and the losses from an attack incident may be both immediate and long-term, through loss of customers. The conclusion that an online merchant that is susceptible to hacker attacks may be also placing its customers’ personal data at risk, is not far-fetched, albeit unfortunate.

What Can an Online Merchant Do?

According to CERT (Carnegie Mellon University’s Computer Emergency Response Team), solutions to denial of service attacks fall into these general categories:

Awareness of the problem, prompt detection of the attack, prevention through sound security practices, and quick response by using specially developed security software.

In practice, however, it is doubtful that the vast majority of Web sites can remain continuously protected against this type of hacker assault. As new Internet software is developed, so too, hackers discover new system vulnerabilities. There is currently no software that eliminates all security vulnerabilities, and none in sight.