As the festive season approaches, it’s apparent that cybercriminals are gearing up for Black Friday and Christmas; a favourite time of year to prey on retailers and consumers alike. A recent research study by cybersecurity leader Imperva, warns that hackers are preparing to disrupt retailer websites, corner the market on popular items, and steal shoppers' personal information.
The report found that automated attacks on application business logic, carried out by sophisticated bad bots were the leading threat for online retailers. Retailers must brace themselves for these Grinch bots, which are sophisticated scalping bots designed to disrupt holiday sales events and purchase the most popular items to resell at high prices.
Other significant risks include account takeover, distributed denial-of-service (DDoS) attacks, API abuse, and client-side attacks.
eCommerce is an easy target for malicious actors
The eCommerce industry remains a lucrative target for cybercriminals due to its vast network of API connections and third-party dependencies. Cybercriminals are motivated to compromise user accounts for personal data and payment information and a successful security incident can lead to higher infrastructure and support costs, degraded online services, and customer churn. Although these security risks are persistent throughout the year, attacks often peak during the holiday shopping season when there is greater online traffic.
Karl Triebes, SVP and GM of Application Security at Imperva says, “The security risks that the retail industry faces are more sophisticated, automated, and harder to detect. The significant increase in bot sophistication over the past year should be a cause for concern.
“This breed of automation is harder to stop and capable of abusing business logic, attacking APIs, and taking over user accounts. For vulnerable retailers, this has the potential to impact their bottom line and undermine end-of-year sales.”
Business logic attacks on eCommerce sites
The most common attack on retail sites in the past year was exploiting business logic, which is the intended functionality and processes of an application or API, rather than its technical vulnerabilities. Attackers exploit business logic in retail in order to manipulate pricing or access restricted products.
Business logic attacks accounted for 42.6% of attacks on retail sites in the past year, up from 26% the year before. This increase correlates with the growing volume of traffic to retail sites from APIs, which accounted for 45.8% of traffic in the past year, up from 41.6% the year before.
Most business logic attacks are automated and often target API connections. As reported in the 2023 Imperva Bad Bot Report, 17% of all attacks on APIs came from bad bots abusing business logic. There are no attack patterns to monitor for these exploits, making it impossible to apply a universal rule and assume the security of all application and API deployments.
- Sophisticated and dangerous bots which make up more than 50% of automated traffic
- Account takeover (ATO) which increased 66% on Black Friday 2022
- Digital skimming, a silent but nefarious threat
- Application layer DDoS attacks on retailers
- API attacks, as API connections are prime targets for exfiltrating data
Staying safe this festive season
Experts expect the number of attacks on online retailers to increase during the 2023 holiday shopping season, and in the same way that shoppers need to be mindful of the potential risks linked to online shopping, retailers must also stay vigilant.
To avoid cyber risks during the festive period, Imperva has advised that organisations should:
- Prepare for high-traffic volume and distributed denial-of-service (DDoS) attacks.
- Prioritise client security, as well as the security of marketing and e-commerce campaigns, which are likely to be targeted by bots.
- Protect critical paths and website functionalities from bots seeking to abuse business logic.
- Protect APIs and mobile apps.
- Encourage good account credential hygiene and safety.
- Stay ahead of scammers by monitoring for new threats and vulnerabilities.
Please also check out our upcoming event - Net Zero LIVE on 6 and 7 March 2024.
BizClik is a global provider of B2B digital media platforms that cover Executive Communities for CEOs, CFOs, CMOs, Sustainability leaders, Procurement & Supply Chain leaders, Technology & AI leaders, Cyber leaders, FinTech & InsurTech leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food.
BizClik – based in London, Dubai, and New York – offers services such as content creation, advertising & sponsorship solutions, webinars & events.