Ghosts of E-Business Past, Present & Future

In the immortal words of philosopher and cultural critic George Santayana, those who do not learn from history are condemned to repeat it. Ebenezer Scrooge, the protagonist of Charles Dickens’ famous play A Christmas Carol, likely would have agreed with this sentiment.

In a similar vein, as the holiday season progresses and the prospect of an economic recovery looms, e-businesses would do well to heed the lessons of their fallen predecessors. Like ghosts of e-business past, infamous flameouts like Webvan and Pets.com may hold valuable lessons for today’s survivors about where the industry has been, what issues e-commerce companies now face, and what challenges are likely to loom in the future.

Can e-tailers learn from past failures, navigate the challenges of the present and face the future with renewed prospects for success?

Chilling Past

Amid the economy’s hard downward turn a few years ago, dot-coms were in the thick of the chaos. Many companies that had been founded on shaky business models faded away to nothing, leaving behind only remnants like leftover T-shirts and Aeron chairs. However, other Internet companies had such intriguing rises and falls that it seemed they had been created just to serve as warnings to others.

For example, Webvan turned out to be an example of poor arithmetic, since the company was paying more for its products than it was charging customers. Go.com proved to be a portal that led nowhere, and Iam.com lost US$48 million in trying to convince models and actors to put their portfolios online.

Some dot-coms tried to cash in on markets that did not need online components, such as HeavenlyDoor.com, which tried to sell caskets and burial plots and ended up losing $26 million in the process. The list, from Flooz to iMotors.com, goes on and on.

As IDC analyst Jonathan Gaw told the E-Commerce Times: “It was just a huge implosion, and all of the dot-com stocks went down. But the ones that survived are the stronger for it.”

Root of the Problem

However, it is not enough just to look at the past and shake one’s head in disbelief at e-business blunders. Gaw noted that for e-businesses in today’s environment, it is vital to understand past mistakes to avoid repeating them.

“The problem with the dot-com era was that we had a mantra that the rules [had] changed, that everything was different,” he said. “In some ways, that was true, because the rules did change. But in other ways, it was false, because the principles remained the same. We confused rules [with] principles.”

Gaw added that the Internet’s rise was similar to the invention of the airplane, which did change the world and the rules of travel. However, it did not change the underlying principles of flight. “Gravity still works the same, whether there’s an airplane or not,” he noted.

Similarly, business principles are a constant, and it is up to e-commerce companies to learn — and successfully apply — the basics.

Present Tense

Indeed, if there is a bright side to the dot-com mass extinction, it is that companies now are open to learning from the past, rather than insisting that everything has changed and old rules do not apply. The loss of so much money has not been forgotten by survivors of the e-business shakeout — and neither have the pain of layoffs, unreturned phone calls from venture capitalists and derision from consumers.

Philip Kaplan, founder of dot-com deathwatch site F***edCompany.com, told the E-Commerce Times that when he visits a company now, management and employees are keen to show they are not squandering money as in days past.

“They almost brag about how crappy their offices are and how bad their parties are,” he said. “It’s like they’re proud of it. But I think they’re just trying to distance themselves from what happened.”

Some lessons remain to be learned, though. Although the bad old days seem to have passed, e-commerce companies still face significant challenges in the present. Some of these hurdles are standard business difficulties, including retaining customers, determining adequate pricing strategies, maintaining proper staffing levels and keeping up with the pace of technology changes.

Other issues are more e-commerce specific, such as perfecting online usability and earning customer trust in an age of identity theft.

Future Perfect?

If today’s e-commerce companies could be visited by a Ghost of E-Business Future, they likely would want to know what challenges they would face in coming months and years, so they could prepareto meet them.

One area that still presents a challenge and will continue to do so in years ahead is usability and navigation. Jared Spool, founding principal of usability firm User Interface Engineering, told the E-Commerce Times that some e-tailers still do not know why customers come to their sites. He said this lack of insight likely will not be overcome soon.

“We see it all the time, that one little piece of information turns out to be tremendously important,” he said. “Making a site usable is a process that takes understanding and time. There is still a great deal to be learned.”

Pendulum Ready To Swing?

Some contemplative e-business executives may be able to gain a deeper understanding of usability, basic business practices and customer management as time passes, but not all of them will succeed, Gaw warned.

“We’re kind of like dogs,” he said. “We have really poor memories. That both helps and hurts…. You need to have a short memory to take risks and be aggressive. But it hurts when those risks do not pan out.”

He noted that in the e-commerce industry, as in other sectors, the pendulum swing of business means that the aggressiveness of the dot-com era is currently being counteracted by conservatism. In the future, the pendulum may begin swinging back toward exuberance.

“You see this swinging in everything, from business to politics,” Gaw said, “and pretty soon you realize that this is just the way life is.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

E-Commerce Times Channels

Attacks on Cloud Service Providers Down 25% During First 4 Months of 2022

New research from Atlas VPN shows that cloud-native exploits on major cloud service providers (CSPs) declined during the first four months of 2022.

Cloud-native exploits dropped by 25%, from 71 exploits in the first four months of 2021 to 53 exploits in the first four months of this year, Atlas researcher Ruta Cizinauskaite told the E-Commerce Times.

Although those numbers may seem small, they are significant, maintained Paolo Passeri, a cyber intelligence principal at Netskope, a Security Service Edge provider in Santa Clara, Calif., and author of the Hackmageddon blog, from where Atlas obtained the data for its report.

“This is only the so-called tip of the iceberg, that is, campaigns that have been unearthed and disclosed by security researchers,” he told the E-Commerce Times.

One of the most targeted CSPs during the period was Amazon Web Services (AWS), Cizinauskaite wrote in the report released June 8. “[AWS] suffered the most cloud-native exploits among cloud service providers as of April 2022,” she reported. “In total, it experienced 10 cloud-native exploits accounting for nearly a fifth (18.9%) of all such events in the first four months of this year.”

She explained that cloud-native threats refer to cyber events that exploit the cloud in one or more stages of the “kill chain,” a cybersecurity model that identifies the typical steps taken by hackers during a cyberattack.

Tool for Mischief

For hackers, Amazon — which, with a third of the CSP market, is top dog — is a robust battleground where an attacker can never run out of targets, Alon Gal, co-founder and CTO of Hudson Rock, a threat intelligence company in Tel Aviv, Israel, told the E-Commerce Times.

AWS is also a flexible tool that can be used for multiple purposes, Passeri added. For example, AWS can be used to host a malicious payload delivered during an attack, as a command-and-control center for malware or to provide the infrastructure to exfiltrate data, he explained.

“As trust in cloud service providers has increased, so has the attraction for cybercriminals that target selected external services with sophisticated yet expected techniques,” Gal observed.

“Once a playbook for a technique is developed,” he continued, “it usually results in a quick win for them across multiple companies.”

Tempting Targets

David Vincent, vice president of product strategies at Appsian Security, an ERP security application provider in Dallas, explained that more and more organizations are moving their critical business systems into the cloud for obvious advantages.

“As long as these business systems contain valuable targets such as data and personally identifiable information or enable financial transactions, like payments, that criminals want access to, these cloud solutions will continue to be targeted by malicious actors,” he told the E-Commerce Times.

With 60% of corporate data stored in the cloud, CSPs have become a target for hackers, Passeri added.

“Besides,” he continued, “a compromised cloud account can provide the attackers multiple tools to make their attacks more evasive.” For example, they can provide a platform to host malicious content, such as AWS, OneDrive or Google Drive. They can also provide an embedded email service, such as Exchange or Gmail, to deliver malicious content that evades web security gateways.

Fishers of Bytes

The report noted that trailing behind AWS in the targeted department were five services each with five exploits: Microsoft OneDrive, Discord, Dropbox, Google Drive, and GitHub.

Other services had a thinner slice of the exploit pie: Pastebin (5.7%); Microsoft 365 and Azure (3.8%); and Adobe Creative Cloud, Blogger, Google Docs, Google Firebase, Google Forms, MediaFire, and Microsoft Teams (1.9%).

 

A majority of the exploits (64.8%), the report found, were aimed at delivering a malware strain or a phishing page.

Other exploits used the CSPs to set up a command and control infrastructure for malignant activities elsewhere (18.5%) and for stealing data or launching other attacks (16.7%).

“Successful hackers are like fishermen, they have different lures in the tackle box to attack a victim’s weakness, and they often must change the lure or use multiple lures because the victims become informed and won’t bite,” Vincent explained.

Exploiting CSP Infrastructure

Passeri explained that malware delivered to CSPs is not designed to compromise their systems but to use their infrastructure since it is considered trusted by the victims and organizations that use it.

In addition, he continued, the CSPs offer a flexible platform that is resilient and simplifies hosting. For example, there is no need to allocate an IP space and register a domain.

Advantages to hackers using a CSP’s infrastructure cited by Passeri include:

  • It is considered trusted by the victim because they see a legitimate domain and in the case of a phishing page, a webpage hosted on a cloud service with a legitimate certificate.
  • In some cases it is considered trusted by organizations because too many of them consider the CSP infrastructure trusted, so they end up whitelisting the corresponding traffic, meaning that the security controls normally enforced on the traditional web traffic are not applied.
  • It is resilient because if the malicious content is taken down, the attackers can spin up a new instance instantaneously.
  • Traditional web security technologies are blind to the context, that is, they do not recognize if, for example, a connection to AWS is heading to a legitimate corporate instance, or to a rogue instance controlled by the attackers.

Info-Stealers

One form of malware distributed through CSPs is information-stealing software. “Info-stealers are a quick win for hackers, as they are able to capture all the sensitive data from a compromised computer in a matter of seconds while leaving almost no traces behind,” Gal said.

“They can then use data like corporate credentials and cookies that were captured by the stealer to cause significant data breaches and ransomware attacks,” he added.

While hackers are willing to use CSP infrastructure for nefarious ends, they’re less inclined to attack that infrastructure itself. “Most exploits from CSPs are a result of misconfigured public internet-facing resources, like AWS S3 buckets,” explained Carmit Yadin, CEO and founder of DeviceTotal, a risk management company in Tel Aviv, Israel.

“Malicious actors target these misconfigurations rather than looking for a vulnerability in the CSP’s infrastructure,” he told the E-Commerce Times. “CSPs often maintain a more secure infrastructure than their customers can manage alone.”

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John P. Mello Jr.
More in Enterprise Security

How To Tackle Mobile Ad Fraud Before It Destroys Your Brand

Mobile ad spending in 2021 set a record by reaching $295 billion globally, a 23% increase from 2020. This trend will continue in 2022 — with the figure projected to reach $350 billion by the end of this year. The reason? We’re spending more time on our mobile phones. In fact, the average person now spends four to five hours per day on their phones. As of last month, in the U.S. roughly 53% of web visits originated from mobile devices.

The spotlight on mobile shopping has reshaped several industries; e-commerce, in particular. App store spending in 2021 reached a new high of $170 billion, an 18% increase from the previous year. This statistic shows that most consumers prefer to download an app and shop from the comfort of their own homes as opposed to going to a brick-and-mortar store.

Unfortunately, the surge in mobile ad spending in addition to device usage has led to a wave of criminal activity called mobile ad fraud. According to AppsFlyer, in 2019 over $4.8 billion of businesses’ mobile ad spend was exposed to ad fraud — an increasingly common issue affecting e-commerce companies across multiple industries, especially retail.

Let’s talk about exactly what mobile ad fraud is, the various types of mobile ad fraud to look out for, and three ways you can help prevent mobile ad fraud from taking place at your online storefront.

What Is Mobile Ad Fraud?

Mobile ad fraud is any practice that involves defrauding digital advertisers on mobile by using false impressions or fake app installs for financial gain or competitive advantage.

Fraudsters utilize a variety of methods to skim money off several types of mobile ads. Some of these include the use of bots, click injections, click spamming, and spoofing SDKs.

With these techniques, bad actors can use false data to feed off advertisers’ ad spend and sometimes go undetected for a long time.

There Are Multiple Types of Mobile Ad Fraud

When it comes to mobile ad fraud, we can categorize the various types into two main categories: mobile ad fraud via app installation, and mobile ad fraud via user interaction on mobile devices:

Mobile ad fraud via app installation

SDK spoofing, also known as SDK hacking, involves simulating real installs, clicks, and other impressions of an app to the attribution provider. With this technique, fraudsters can create thousands or even millions of fake installs that’ll consume the advertiser’s ad budget.

Click spamming involves fraudsters sending large volumes of fake or low-quality clicks to a mobile measurement partner (MMP) or attribution tool, waiting for an organic install to happen. Once a user installs the app, the attribution meant for the advertiser goes instead to the fraudster.

Mobile ad fraud via user interaction on mobile devices

Pixel stuffing occurs when publishers place an ad in a 1×1 pixel area that is invisible to the naked eye. Although these ads are invisible to the user, they still count as an impression.

Click hijacking occurs when bad actors redirect the click meant for an ad to another ad. By intercepting the communication between the user and the ad, they can steal or hijack the clicks on ads and transfer it to another ad.

3 Ways To Prevent Mobile Ad Fraud

The various forms of ad fraud make it difficult to protect against losing money to bad actors. However, learning how to prevent it offers a fighting chance and helps with early detection.

Maintain an IP blacklist
Certain IP addresses have a reputation of ad fraud due to their invalid clicks and fake traffic sources. Therefore, keep a blacklist of IP addresses you don’t want to interact with your ads. Also, compare your list with newly updated blacklists regularly.

Use an ads.txt file
In cases of domain spoofing, and other forms of imitation, an ads.txt file comes in handy. This file serves as an agreement between you, the SSP, DSP or ad exchange about who has the authority to resell your ads.

Work with verified publishers
Placing your ads on a verified publisher’s website is expensive. But they are more likely to offer your ads some safety and a guarantee from fraudsters, which is more than you’ll receive from a low-budget publisher. Also, you can rest assured the data you’re getting from a verified publisher isn’t skewed.

Implications of Mobile Ad Fraud on Businesses

Mobile ad fraud leading to revenue loss is only part of the story. Great damage can be done to a brand’s reputation by being placed on a blacklist.

When purchasing ad inventory, businesses investigate past and existing records of vendors. They do this to ensure viewability, ROI and safety. An ad campaign that’s explicit or that features unsafe content isn’t something with which your business wants to be associated. Should your company get blacklisted due to reports of inappropriate advertisements, your brand image and reputation could be at stake.

Often, you won’t see the immediate effect of ad fraud — that is, until the damage has already been done. By that point, you may have lost money, and your e-commerce establishment will find it challenging to stay afloat. Or, in the case of being blacklisted, your brand’s reputation may be damaged, taking years to repair. By then, of course, it’s too late.

Publishers and advertisers need to be aware that mobile ad fraud is a substantial threat to the industry. It’s especially vital to keep it in mind as consumers shop more often via smartphones. The earlier both parties work together to help end mobile ad fraud, the better.

Remember, the best defense against mobile ad fraud is to employ preventative measures to protect your business.

Jacob Loveless is CEO of Edgemesh. He has a 20-year career in making things go faster, from low latency trading for Wall Street to large-scale web platforms for the Department of Defense, and is a two-time winner of high-performance computing awards. Today, Loveless runs Edgemesh, the global web acceleration company he co-founded in 2016.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories