ウェブスキミングの被害、氷山の一角 気ままなリライト182
A vessel of digital convenience is sinking, its hull riddled with unseen breaches, swallowed by the shadowy depths of the Dark Web. In this murky underworld of cybercrime, personal information sparkles like treasure, drawing the hungry gaze of cyber predators. Without a comprehensive overhaul of cybersecurity measures to reinforce its defenses and raise awareness of emerging threats, the e-commerce industry risks succumbing to relentless attacks. As cracks in its defenses grow wider, its fragile foundation becomes an open invitation for exploitation, leaving in its wake the wreckage of eroded trust, financial losses, and damaged reputations for consumers, businesses, and operators alike.
Cyber threats to e-commerce security have become a pervasive global concern, akin to an iceberg lurking beneath the surface— its true danger hidden until disaster strikes, much like the fate of the Titanic. Beneath the surface lies a complex and evolving web of threats, such as web skimming. It involves the insertion of malicious code into legitimate e-commerce websites to siphon sensitive data such as credit card information. Cybercriminal groups like “Water Pamola” initially targeted e-commerce sites in Australia and Europe, but since 2020, attacks on Japanese platforms have intensified significantly. In 2024, malicious programs were detected on e-commerce websites operated by roughly 40 companies and organizations across Japan. This discovery raised serious concerns about the potential exposure of over 300,000 customer records, as confirmed by interviews with the National Police Agency. Meanwhile, Trend Micro, a prominent cybersecurity company, has reported finding similar malicious code embedded in multiple e-commerce platforms in Japan, underscoring the growing sophistication and scale of these attacks.
Attacks on legitimate websites are far harder to detect than those involving fake sites. Notable victims of such breaches include the e-commerce platforms of Tully's Coffee Japan, based in Tokyo's Shinjuku district, and the National Federation of Fisheries Cooperative Associations (Zengyoren). Alarmingly, many operators failed to recognize the tampering for years. For instance, a food sales business confirmed its e-commerce site had been compromised as early as 2021, but the breach was only discovered in July 2024 after a credit card company alerted them to suspicious activity. “Only a small portion of the website’s code is altered in these attacks,” explained Katsuyuki Okamoto, a security evangelist at Trend Micro. “This makes it extremely difficult for operators to detect, often allowing the damage to continue unnoticed for extended periods.”
Vulnerabilities in website infrastructure, combined with human errors in e-commerce operations, provide attackers with opportunities to execute malicious activities. By exploiting these weaknesses, attackers insert malicious code into website forms or URLs, manipulating server- or client-side processes to harvest sensitive data. One common method involves injecting malicious JavaScript into payment pages. When customers input their credit card information, the script transmits it to the attacker’s server. Phishing is another key tactic. Invisible pickpockets send deceptive emails to e-commerce site administrators, tricking them into clicking links or downloading malware-infected files. Once the trojan horse is installed, it grants attackers access to the backend of the website, allowing them to embed malicious code directly. The stolen data is often stored online temporarily before being collected in bulk by cybercriminal groups for further use or sale.
As the e-commerce market has continued to expand, delays in implementing adequate security measures have heightened the risk of consumer information leaks. According to the Ministry of Economy, Trade and Industry (METI), Japan's domestic direct-to-consumer e-commerce market grew to ¥24.8 trillion in 2023, nearly doubling from ¥12.7 trillion in 2014. Despite this rapid growth, progress in cybercrime prevention—through reducing system vulnerabilities and improving digital security awareness among users and e-commerce operators—have lagged behind. This tendency is particularly pronounced among small and medium-sized businesses (SMBs) that operate their own e-commerce platforms, which are particularly vulnerable to increasingly sophisticated cyberattacks.
A growing recognition of cybersecurity as a cornerstone of trust for businesses, regulators, and consumers alike, is likely to drive SMBs to take swift and decisive action against these threats. Many SMBs tend to turn to major e-commerce (EC) marketplaces like Amazon or Rakuten, which provide stronger security but at the cost of competitiveness. While self-operated EC platforms run by SMBs offer distinct advantages, such as lower transaction fees and greater access to customer data for marketing, SMBs often lack the resources to implement robust security measures, leaving them exposed to potential breaches. “It is not easy for small and medium-sized businesses to secure the necessary talent to operate EC sites,” explains Tomohiko Motoya, director of the Digital Commerce Research Institute. As a result, many SMBs are finding themselves relying on larger e-commerce marketplaces, trading higher fees and reduced control over customer relationships for stronger cybersecurity protections . These compromises are increasingly seen as a necessary price to ensure that the vessel of online commerce can navigate the turbulent waters of cyber threats and reach the shores of secure innovation before it's too late.