Weather consumers may be looking to rip off retailers As the cost-of-living crisis deepens, cybercriminals are also taking the industry by storm, with a variety of automated threats, from account takeover, credit card fraud, web scraping, API abuse, Grinch bots, and denial of access. Distributed service (DDoS) attacks: It all becomes a persistent challenge for the e-commerce industry, threatening online sales and customer satisfaction.
The ongoing barrage of attacks on retailers’ websites, applications and APIs throughout the calendar year and during the peak holiday shopping season is an ongoing business risk for the retail industry, according to The State of Security Within eCommerce 2022, the latest imperva report.
“The holiday shopping season is a critical period for the retail industry, and security threats could undermine retailers’ bottom lines again in 2022,” says Lynn Marks, senior product manager at Imperva. “This industry faces a variety of security risks, most of which are automated and operate around the clock. Retailers need a unified approach to stopping these persistent attacks, one that is focused on data protection and equipped to quickly mitigate attacks without disrupting shoppers.”
An Automated Adversary: Malicious Bots and Online Fraud Plague Retail Sites
In the last 12 months, nearly 40% of traffic to retail websites did not come from a human. Instead, it came from a bot, operator-controlled software applications that execute automated tasks, often with malicious intent. In the retail industry, the infamous Grinch bot is known for hoarding inventory during the holiday shopping season, picking off high-demand items and making it difficult for consumers to buy gifts online.
Of all traffic to retail websites, almost a quarter (23.7%) was specifically attributed to malicious bots, malicious automation that contributes to online fraud. The proportion of advanced bots (scripts that use the latest evasion techniques to mimic human behavior and avoid detection) on retail sites grew from the previous year (from 23.4% to 31.1%). Advanced bots are a considerable challenge for organizations to stop without adequate defenses.
In 2021, bot-related attacks on retail sites grew 10% in October and another 34% in November, suggesting that bot operators ramp up nefarious efforts during peak holiday shopping periods.
Account Takeover (ATO) is another form of online fraud in which cybercriminals attempt to compromise online accounts through the use of stolen passwords and usernames. In 2021, 64.1% of ATO attacks used an advanced bad bot. Of all login attempts on retail websites, 22.6% were malicious, nearly double the volume seen on sites in other industries. Attackers used leaked credentials 94.7% of the time in credential stuffing attacks targeting retailers, compared to 69.6% of the time in other industries.
API abuse and attacks are on the rise, creating new challenges for retailers
APIs are the invisible connective tissue that allow applications to share data and invoke digital services. Analysis by Imperva Threat Research finds that API traffic accounts for 41.6% of all traffic to online retailers’ sites and applications.
Of that, 12% of traffic goes to endpoints, such as a database, where personal data (credentials, identification numbers, etc.) is stored. More concerning, 3-5% of API traffic goes to hidden or undocumented APIs, endpoints that security teams don’t know exist or no longer protect.
Exposed or vulnerable APIs are a significant threat to retailers because attackers can use the API as a way to exfiltrate customer data and payment information. API abuses are often carried out through automated attacks in which a botnet floods the API with unwanted traffic, looking for vulnerable applications and unprotected data.
In 2021, API attacks increased 35% between September and October, and then increased by another 22% in November on top of the high attack levels of the previous months. This finding suggests that bad actors ramp up their efforts during the holiday shopping season as more data is exchanged between the APIs and applications that power e-commerce services.
Watch out for downtime: ddos attacks continue to threaten retailers
A Distributed Denial of Service (DDoS) attack is an automated threat that attempts to disrupt critical business operations by flooding the network or application infrastructure with malicious traffic. Attacks are often launched by a botnet, a group of compromised connected devices that are distributed across the Internet and operated by a single party.
Imperva Threat Research finds that DDoS attacks in 2022 are bigger and stronger across all industries. The number of recorded incidents greater than 100 Gbps doubled and attacks greater than 500 Gbps/0.5 Tbps increased by 287%. Also, people who are targeted are often attacked again within 24 hours. Imperva finds that 55% of websites affected by application layer DDoS and 80% of websites affected by network layer DDoS were attacked multiple times.
A DDoS attack is a constant threat to retailers. Downtime caused by a DDoS attack can lead to site outage, reputational damage, and lost revenue. DDoS is a critical threat to online retailers that rely on the performance and availability of applications to enable digital storefronts.